Open
Description
Terraform Core Version
1.9.2
AWS Provider Version
5.66, 5.29
Affected Resource(s)
aws_verifiedaccess_trust_provider
Expected Behavior
force replace the resource without impacting the linked resources
in other words.
- deattach VATP from VAI, change the configs and attach again
Actual Behavior
It fails because of the indirect dependency with verified access instance and can't replace it as it's attached with CAG and VATP
Relevant Error/Panic Output Snippet
# aws_verifiedaccess_instance_trust_provider_attachment.personal_okta_main must be replaced
-/+ resource "aws_verifiedaccess_instance_trust_provider_attachment" "personal_okta_main" {
~ id = "vai-0c7343c9280ac5dc3/vatp-072c6e9c2163c4da6" -> (known after apply)
~ verifiedaccess_trust_provider_id = "vatp-072c6e9c2163c4da6" # forces replacement -> (known after apply) # forces replacement
# (1 unchanged attribute hidden)
}
# aws_verifiedaccess_trust_provider.personal_okta must be replaced
-/+ resource "aws_verifiedaccess_trust_provider" "personal_okta" {
~ id = "vatp-072c6e9c2163c4da6" -> (known after apply)
tags = {
"Name" = "va-poc-musti-trust-provider"
}
# (6 unchanged attributes hidden)
~ oidc_options {
~ authorization_endpoint = "https://dev-53010038.okta.com/oauth2/default/v1/authorize" -> "https://dev-5301003.okta.com/oauth2/default/v1/authorize" # forces replacement
~ issuer = "https://dev-53010038.okta.com/oauth2/default" -> "https://dev-5301003.okta.com/oauth2/default" # forces replacement
~ token_endpoint = "https://dev-53010038.okta.com/oauth2/default/v1/token" -> "https://dev-5301003.okta.com/oauth2/default/v1/token" # forces replacement
~ user_info_endpoint = "https://dev-53010038.okta.com/oauth2/default/v1/userinfo" -> "https://dev-5301003.okta.com/oauth2/default/v1/userinfo" # forces replacement
# (3 unchanged attributes hidden)
}
}
Plan: 2 to add, 0 to change, 2 to destroy.
aws_verifiedaccess_instance_trust_provider_attachment.personal_okta_main: Destroying... [id=vai-0c7343c9280ac5dc3/vatp-072c6e9c2163c4da6]
Error: deleting Verified Access Instance Trust Provider Attachment (vai-0c7343c9280ac5dc3/vatp-072c6e9c2163c4da6): operation error EC2: DetachVerifiedAccessTrustProvider, https response error StatusCode: 400, RequestID: 1a11a7c3-5b59-4007-883b-dd6dc0c77ed8, api error VerifiedAccessGroupAttachmentExists: VerifiedAccessInstance vai-0c7343c9280ac5dc3 is not empty. Please remove all VerifiedAccessGroups before attaching or detaching a VerifiedAccessTrustProvider with TrustProviderType user
βTerraform Configuration Files
resource "aws_verifiedaccess_instance" "main" {
description = "testing purpose"
tags = {
"Name" : "${local.resource_prefix}-instance"
}
}
resource "aws_verifiedaccess_trust_provider" "personal_okta" {
policy_reference_name = "okta"
trust_provider_type = "user"
user_trust_provider_type = "oidc"
oidc_options {
client_id = var.okta_client_id
client_secret = data.aws_ssm_parameter.okta_client_secret.value
issuer = var.okta_domain
authorization_endpoint = "${var.okta_domain}/v1/authorize"
token_endpoint = "${var.okta_domain}/v1/token"
user_info_endpoint = "${var.okta_domain}/v1/userinfo"
scope = "openid profile groups"
}
tags = {
"Name" : "${local.resource_prefix}-trust-provider"
}
}
resource "aws_verifiedaccess_instance_trust_provider_attachment" "personal_okta_main" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.personal_okta.id
}
resource "aws_verifiedaccess_group" "poc_group" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.main.id
policy_document = <<EOT
permit(principal, action, resource)
when {
context.${aws_verifiedaccess_trust_provider.personal_okta.policy_reference_name}.email_verified == true
};
EOT
depends_on = [ aws_verifiedaccess_instance_trust_provider_attachment.personal_okta_main ]
tags = {
"Name" : "${local.resource_prefix}-group"
}
}
resource "aws_verifiedaccess_endpoint" "private_endpoint" {
application_domain = local.private_endpoint
attachment_type = "vpc"
description = "app 2"
domain_certificate_arn = module.acm.acm_certificate_arn
endpoint_domain_prefix = local.resource_prefix
endpoint_type = "load-balancer"
policy_document = <<EOT
permit(principal, action, resource)
when {
context.${aws_verifiedaccess_trust_provider.personal_okta.policy_reference_name}.groups.containsAny(["Private"])
};
EOT
load_balancer_options {
load_balancer_arn = module.private_alb.arn
port = 443
protocol = "https"
subnet_ids = data.aws_subnets.spoke_v3_private.ids
}
security_group_ids = [module.private_alb.security_group_id]
verified_access_group_id = aws_verifiedaccess_group.poc_group.id
tags = {
"Name" : "${local.resource_prefix}-private-endpoint"
}
}Steps to Reproduce
- deploy VATP
- change the configs of oidc, such as url
- apply changes
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
No