Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity provider URL update behavior doesn't match UI #583

Open
keeganwitt opened this issue Mar 7, 2025 · 1 comment
Open

Identity provider URL update behavior doesn't match UI #583

keeganwitt opened this issue Mar 7, 2025 · 1 comment
Labels
enhancement New feature or request

Comments

@keeganwitt
Copy link

keeganwitt commented Mar 7, 2025
edited
Loading

If you change the provider URL (for example maybe you migrated the provider URL or are moving from one provider to another), it forces the re-creation of all the identity pools using that identity provider. However, f you make this change via the Confluent Cloud console, it doesn't force this update. As an example, changing my_provider's JWKS and/or issuer URL(s) will re-create my_pool.

resource "confluent_identity_provider" "my_provider" {
  display_name = "My OIDC Provider"
  description  = "OIDC provider for workload authentication"
  issuer       = "https://example.com"
  jwks_uri     = "https://example.com/jwks"
}

resource "confluent_identity_pool" "my_pool" {
  identity_provider {
    id = resource.my_provider.id
  }
  display_name   = "My Identity Pool"
  description    = "Identity pool for workload authentication"
  identity_claim = "claims.sub"
  filter         = "claims.aud==\"confluent.cloud\"&&claims.sub == \"spiffe://example.com/ns/my-namespace/sa/my-service-account\""
}

This is because of

terraform-provider-confluent/internal/provider/resource_identity_provider.go

Lines 75 to 77 in bef388c

if d.HasChangesExcept(paramDisplayName, paramDescription) {
return diag.Errorf("error updating Identity Provider %q: only %q, %q attributes can be updated for Identity Provider", d.Id(), paramDisplayName, paramDescription)
}

and

terraform-provider-confluent/internal/provider/resource_identity_pool.go

Lines 76 to 78 in bef388c

if d.HasChangesExcept(paramDisplayName, paramDescription, paramIdentityClaim, paramFilter) {
return diag.Errorf("error updating Identity Pool %q: only %q, %q, %q, %q attributes can be updated for Identity Pool", d.Id(), paramDisplayName, paramDescription, paramIdentityClaim, paramFilter)
}

@linouk23 linouk23 added the enhancement New feature or request label Mar 8, 2025
@linouk23
Copy link
Contributor

@keeganwitt, thanks for creating the issue!

It seems like the issue is very similar to

All contributions are welcome! Would you be interested in creating a PR on your own?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@keeganwitt @linouk23