diff --git a/docs/exporting-configuration/README.md b/docs/exporting-configuration/README.md index 07970158..2d2a4cc8 100644 --- a/docs/exporting-configuration/README.md +++ b/docs/exporting-configuration/README.md @@ -2,8 +2,15 @@ ## Resolving Terraform Plan Errors -The following documents describe the actions that must be taken, per provider, to resolve `terraform plan` errors following configuration generation. +When generating Terraform HCL configuration, errors on `terraform plan` are expected. Reasons for plan errors include: -- [PingOne Terraform Provider](./pingone-plan-errors.md) +- Certain field values are not retrievable from the Ping system. This might be because values are sensitive (secret) and are not retrievable to maintain tenant security. In these cases, manual adjustment is needed to ensure these values are defined in generated HCL. +- Ambiguity in the retrieved configuration from the Ping system. In these cases, the intention of the configuration cannot be accurately determined and requires manual correction. +- Limitations with Terraform's `terraform plan --generate-config-out` command action. Limitations are described in further detail on Terraform's developer documentation, [Generating Configuration](https://developer.hashicorp.com/terraform/language/import/generating-configuration) -If you encounter an error that is not documented, please [raise a new issue](https://github.com/pingidentity/pingcli/issues/new?title=Undocumented%20Config%20Generation%20Error). \ No newline at end of file +The following documents describe the actions that must be taken, per provider, to resolve the various `terraform plan` errors following configuration generation. + +- [PingFederate Terraform Provider](./plan-errors/pingfederate.md) +- [PingOne Terraform Provider](./plan-errors/pingone.md) + +If you encounter an error that is not documented, please [raise a new issue](https://github.com/pingidentity/pingcli/issues/new?title=Undocumented%20Config%20Generation%20Error). diff --git a/docs/exporting-configuration/pingone-plan-errors.md b/docs/exporting-configuration/pingone-plan-errors.md deleted file mode 100644 index 76783ce6..00000000 --- a/docs/exporting-configuration/pingone-plan-errors.md +++ /dev/null @@ -1,83 +0,0 @@ -# Ping CLI - Exporting Platform Configuration - PingOne Plan Errors - -The following sections describe the actions that must be taken, per resource, to resolve `terraform plan` errors following configuration generation. - -If you encounter an error that is not documented, please [raise a new issue](https://github.com/pingidentity/pingcli/issues/new?title=Undocumented%20PingOne%20Config%20Generation%20Error). - -## Resource: pingone_application - -### Attribute saml_options.type value must be one of: ["WEB_APP" "CUSTOM_APP"], got: "TEMPLATE_APP" - -**Cause**: Template applications are not supported in the PingOne provider version used to run `terraform plan`. - -**Resolution**: Upgrade the PingOne Terraform provider version. Further details can be found at https://github.com/pingidentity/terraform-provider-pingone/issues/841 - -**Documentation**: -- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/application#nestedatt--saml_options) - -## Resource: pingone_branding_theme - -### 2 attributes specified when one (and only one) of [background_color.<.background_color,background_color.<.use_default_background,background_color.<.background_image] is required - -**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. - -**Resolution**: Manual modification is required to ensure only one of `background_color`, `use_default_background` or `background_image` is defined. - -**Documentation**: -- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/branding_theme#schema) - -## Resource: pingone_certificate - -### one of `pem_file,pkcs7_file_base64` must be specified - -**Cause**: Certificates are not exported from PingOne to maintain tenant security. - -**Resolution**: Manual modification is required to set either `pem_file` or `pkcs7_file_base64` in the generated HCL. - -**Documentation**: -- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/certificate#schema) - -## Resource: pingone_forms_recaptcha_v2 - -### Must set a configuration value for the secret_key attribute as the provider has marked it as required - -**Cause**: The reCaptcha v2 secret key is not exported from PingOne to maintain tenant security. - -**Resolution**: Manual modification is required to set `secret_key` in the generated HCL. - -**Documentation**: -- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/forms_recaptcha_v2#schema) - -## Resource: pingone_mfa_application_push_credential - -### No attribute specified when one (and only one) of [apns.<.fcm,apns.<.apns,apns.<.hms] is required - -**Cause**: Push credential values are not exported from PingOne to maintain tenant security. - -**Resolution**: Manual modification is required to set one of `apns`, `fcm`, or `hms` in the generated HCL. - -**Documentation**: -- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/mfa_application_push_credential#schema) - -## Resource: pingone_notification_settings_email - -### Must set a configuration value for the password attribute as the provider has marked it as required. - -**Cause**: Passwords for email servers are not exported from PingOne to maintain tenant security. - -**Resolution**: Manual modification is required to set the `password` field in the generated HCL. - -**Documentation**: -- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/notification_settings_email#schema) - -## Resource: pingone_phone_delivery_settings - -### The argument provider_custom.authentication.password is required because provider_custom.authentication.method is configured as: "BASIC" - -**Cause**: Password fields are not exported from PingOne to maintain tenant security. - -**Resolution**: Manual modification is required to set the `provider_custom.authentication.password` value in the generated HCL. - -**Documentation**: -- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/phone_delivery_settings#password) - diff --git a/docs/exporting-configuration/plan-errors/pingfederate.md b/docs/exporting-configuration/plan-errors/pingfederate.md new file mode 100644 index 00000000..97c7972a --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate.md @@ -0,0 +1,24 @@ +# Terraform Configuration Generation - PingFederate Plan Errors + +The following sections describe the actions that must be taken, per resource, to resolve `terraform plan` errors following configuration generation. + +If you encounter an error that is not documented, please [raise a new issue](https://github.com/pingidentity/pingcli/issues/new?title=Undocumented%20PingFederate%20Config%20Generation%20Error). + +## General (Any Resource) + +### Reference to undeclared resource - A managed resource "[any]" "[any]" has not been declared in the root module + +**Cause**: Terraform configuration has been generated with syntax errors. This is an issue with the Terraform CLI. + +**Resolution**: Upgrade the Terraform CLI to the latest version available and re-generate the HCL configuration. + +## Resource Plan Errors + +- [pingfederate_certificate_ca](pingfederate_certificate_ca.md) +- [pingfederate_data_store](pingfederate_data_store.md) +- [pingfederate_idp_adapter](pingfederate_idp_adapter.md) +- [pingfederate_kerberos_realm](pingfederate_kerberos_realm.md) +- [pingfederate_oauth_access_token_manager](pingfederate_oauth_access_token_manager.md) +- [pingfederate_oauth_client](pingfederate_oauth_client.md) +- [pingfederate_password_credential_validator](pingfederate_password_credential_validator.md) +- [pingfederate_pingone_connection](pingfederate_pingone_connection.md) diff --git a/docs/exporting-configuration/plan-errors/pingfederate_certificate_ca.md b/docs/exporting-configuration/plan-errors/pingfederate_certificate_ca.md new file mode 100644 index 00000000..ac90db83 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_certificate_ca.md @@ -0,0 +1,33 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_certificate_ca) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/certificate_ca#schema) + +## Invalid Attribute Value Length - Attribute file_data string length must be at least 1, got: 0 + +**Cause**: The CA file data is not exported. + +**Resolution**: Manual modification is required to set the `file_data` field in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_certificate_ca" "my_awesome_certificate_ca" { + ca_id = "7zz3****************5fnja" + crypto_provider = null + file_data = "" +} +``` + +After manual modification (`file_data` is defined): +```hcl +resource "pingfederate_certificate_ca" "my_awesome_certificate_ca" { + ca_id = "7zz3****************5fnja" + crypto_provider = null + file_data = filebase64("my_ca.pem") +} +``` + + + diff --git a/docs/exporting-configuration/plan-errors/pingfederate_data_store.md b/docs/exporting-configuration/plan-errors/pingfederate_data_store.md new file mode 100644 index 00000000..ec70bf99 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_data_store.md @@ -0,0 +1,46 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_data_store) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/data_store#nestedatt--ldap_data_store) + +## Invalid attribute configuration - 'password' and 'user_dn' must be set together + +**Cause**: The data store password is not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `ldap_data_store.password` field in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_data_store" "my_ldap_data_store" { + # ... other configuration parameters + + ldap_data_store = { + # ... other configuration parameters + + ldap_type = "PING_DIRECTORY" + name = "PingDirectory LDAP Data Store" + password = null # sensitive + user_dn = "cn=administrator" + } +} +``` + +After manual modification (`ldap_data_store.password` is defined): +```hcl +resource "pingfederate_data_store" "my_ldap_data_store" { + # ... other configuration parameters + + ldap_data_store = { + # ... other configuration parameters + + ldap_type = "PING_DIRECTORY" + name = "PingDirectory LDAP Data Store" + password = var.pingdirectory_ldap_data_store + user_dn = "cn=administrator" + } +} +``` + + diff --git a/docs/exporting-configuration/plan-errors/pingfederate_idp_adapter.md b/docs/exporting-configuration/plan-errors/pingfederate_idp_adapter.md new file mode 100644 index 00000000..1abfc726 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_idp_adapter.md @@ -0,0 +1,78 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_idp_adapter) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/idp_adapter#schema) + +## Missing Configuration for Required Attribute - Must set a configuration value for the configuration.sensitive_fields[Value({"name":"API Key","value":})].value attribute as the provider has marked it as required. + +**Cause**: The DaVinci adapter's API key is not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `configuration.sensitive_fields` field to include an object with `name`=`API Key`, and `value` is the API key, in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_idp_adapter" "my_davinci_adapter" { + # ... other configuration parameters + + adapter_id = "myDaVinciAdapter" + + configuration = { + # ... other configuration parameters + + fields = [ + # ... other configuration parameters + + { + name = "API Request Timeout" + value = jsonencode(5000) + }, + { + name = "Additional Properties Attribute" + value = "additionalProperties" + }, + ] + sensitive_fields = [ + { + name = "API Key" + value = null # sensitive + }, + ] + } +} +``` + +After manual modification (The DaVinci API key is defined): +```hcl +resource "pingfederate_idp_adapter" "my_davinci_adapter" { + # ... other configuration parameters + + adapter_id = "myDaVinciAdapter" + + configuration = { + # ... other configuration parameters + + fields = [ + # ... other configuration parameters + + { + name = "API Request Timeout" + value = jsonencode(5000) + }, + { + name = "Additional Properties Attribute" + value = "additionalProperties" + }, + ] + sensitive_fields = [ + { + name = "API Key" + value = var.my_davinci_adapter_api_key + }, + ] + } +} +``` + + diff --git a/docs/exporting-configuration/plan-errors/pingfederate_kerberos_realm.md b/docs/exporting-configuration/plan-errors/pingfederate_kerberos_realm.md new file mode 100644 index 00000000..0562ca0e --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_kerberos_realm.md @@ -0,0 +1,37 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_kerberos_realm) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/kerberos_realm#schema) + +## Invalid attribute configuration - kerberos_password is required when connection_type is set to "DIRECT". + +**Cause**: The Kerberos password is not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `kerberos_password` field in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_kerberos_realm" "my_kerberos_realm" { + # ... other configuration parameters + + connection_type = "DIRECT" + kerberos_password = null # sensitive + kerberos_realm_name = "My Kerberos Realm" + kerberos_username = "myKerberos" +} +``` + +After manual modification (`kerberos_password` is defined): +```hcl +resource "pingfederate_kerberos_realm" "my_kerberos_realm" { + # ... other configuration parameters + + connection_type = "DIRECT" + kerberos_password = var.my_kerberos_realm_password + kerberos_realm_name = "My Kerberos Realm" + kerberos_username = "myKerberos" +} +``` + diff --git a/docs/exporting-configuration/plan-errors/pingfederate_oauth_access_token_manager.md b/docs/exporting-configuration/plan-errors/pingfederate_oauth_access_token_manager.md new file mode 100644 index 00000000..8a84522c --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_oauth_access_token_manager.md @@ -0,0 +1,113 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_oauth_access_token_manager) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/oauth_access_token_manager#schema) + +## Missing Configuration for Required Attribute - Must set a configuration value for the configuration.tables[0].rows[0].sensitive_fields[Value({"name":"Key","value":})].value attribute as the provider has marked it as required. + +**Cause**: Symmetric key values are not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `configuration.tables[0].rows[0].sensitive_fields` field to include an object with `name`=`Key`, and `value` is the symmetric key, in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_oauth_access_token_manager" "my_symmetric_key_app" { + # ... other configuration parameters + + configuration = { + fields = [ + # ... other configuration parameters + + { + name = "Active Symmetric Encryption Key ID" + value = "mykey" + }, + { + name = "Active Symmetric Key ID" + value = "mykey" + }, + ] + tables = [ + # ... other configuration parameters + + { + name = "Symmetric Keys" + rows = [ + { + default_row = false + fields = [ + { + name = "Encoding" + value = "b64u" + }, + { + name = "Key ID" + value = "mykey" + }, + ] + sensitive_fields = [ + { + name = "Key" + value = null # sensitive + }, + ] + }, + ] + }, + ] + } +} +``` + +After manual modification (The symmetric key is defined): +```hcl +resource "pingfederate_oauth_access_token_manager" "my_symmetric_key_app" { + # ... other configuration parameters + + configuration = { + fields = [ + # ... other configuration parameters + + { + name = "Active Symmetric Encryption Key ID" + value = "mykey" + }, + { + name = "Active Symmetric Key ID" + value = "mykey" + }, + ] + tables = [ + # ... other configuration parameters + + { + name = "Symmetric Keys" + rows = [ + { + default_row = false + fields = [ + { + name = "Encoding" + value = "b64u" + }, + { + name = "Key ID" + value = "mykey" + }, + ] + sensitive_fields = [ + { + name = "Key" + value = var.my_symmetric_key_mykey + }, + ] + }, + ] + }, + ] + } +} +``` + diff --git a/docs/exporting-configuration/plan-errors/pingfederate_oauth_client.md b/docs/exporting-configuration/plan-errors/pingfederate_oauth_client.md new file mode 100644 index 00000000..b3b96538 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_oauth_client.md @@ -0,0 +1,43 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_oauth_client) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/oauth_client#schema) + +## Invalid attribute configuration - client_auth.secret must be defined when client_auth.type is configured to "SECRET" + +**Cause**: The OAuth client secret is not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `client_auth.secret` field in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_oauth_client" "openid_connect_basic_client_profile" { + # ... other configuration parameters + + client_auth = { + # ... other configuration parameters + + secret = null # sensitive + type = "SECRET" + } + client_id = "ac_oic_client" +} +``` + +After manual modification (`client_auth.secret` is defined): +```hcl +resource "pingfederate_oauth_client" "openid_connect_basic_client_profile" { + # ... other configuration parameters + + client_auth = { + # ... other configuration parameters + + secret = var.my_oidc_client_secret + type = "SECRET" + } + client_id = "ac_oic_client" +} +``` + diff --git a/docs/exporting-configuration/plan-errors/pingfederate_password_credential_validator.md b/docs/exporting-configuration/plan-errors/pingfederate_password_credential_validator.md new file mode 100644 index 00000000..9107539a --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_password_credential_validator.md @@ -0,0 +1,281 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_password_credential_validator) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/password_credential_validator#schema) + +## Must set a configuration value for the configuration.tables[0].rows[*].sensitive_fields[Value({"name":"Confirm Password","value":})].value attribute as the provider has marked it as required + +**Cause**: Simple password credential validator password values are not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `configuration.tables[0].rows[*].sensitive_fields` field to include an object with `name`=`Confirm Password`, and `value` is the simple password to use for that user, in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_password_credential_validator" "simple_username_password_credential_validator" { + # ... other configuration parameters + + configuration = { + # ... other configuration parameters + + tables = [ + { + name = "Users" + rows = [ + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = null # sensitive + }, + { + name = "Password" + value = null # sensitive + }, + ] + }, + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example2" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = null # sensitive + }, + { + name = "Password" + value = null # sensitive + }, + ] + }, + ] + }, + ] + } +} +``` + +After manual modification (A password for each user is defined): +```hcl +resource "pingfederate_password_credential_validator" "simple_username_password_credential_validator" { + # ... other configuration parameters + + configuration = { + # ... other configuration parameters + + tables = [ + { + name = "Users" + rows = [ + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = var.simple_pcv_example_password + }, + { + name = "Password" + value = var.simple_pcv_example_password + }, + ] + }, + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example2" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = var.simple_pcv_example2_password + }, + { + name = "Password" + value = var.simple_pcv_example2_password + }, + ] + }, + ] + }, + ] + } +} +``` + +## Must set a configuration value for the configuration.tables[0].rows[*].sensitive_fields[Value({"name":"Password","value":})].value attribute as the provider has marked it as required + +**Cause**: Simple password credential validator password values are not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `configuration.tables[0].rows[*].sensitive_fields` field to include an object with `name`=`Password`, and `value` is the simple password to use for that user, in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_password_credential_validator" "simple_username_password_credential_validator" { + # ... other configuration parameters + + configuration = { + # ... other configuration parameters + + tables = [ + { + name = "Users" + rows = [ + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = null # sensitive + }, + { + name = "Password" + value = null # sensitive + }, + ] + }, + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example2" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = null # sensitive + }, + { + name = "Password" + value = null # sensitive + }, + ] + }, + ] + }, + ] + } +} +``` + +After manual modification (A password for each user is defined): +```hcl +resource "pingfederate_password_credential_validator" "simple_username_password_credential_validator" { + # ... other configuration parameters + + configuration = { + # ... other configuration parameters + + tables = [ + { + name = "Users" + rows = [ + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = var.simple_pcv_example_password + }, + { + name = "Password" + value = var.simple_pcv_example_password + }, + ] + }, + { + default_row = false + fields = [ + { + name = "Relax Password Requirements" + value = jsonencode(false) + }, + { + name = "Username" + value = "example2" + }, + ] + sensitive_fields = [ + { + name = "Confirm Password" + value = var.simple_pcv_example2_password + }, + { + name = "Password" + value = var.simple_pcv_example2_password + }, + ] + }, + ] + }, + ] + } +} +``` + diff --git a/docs/exporting-configuration/plan-errors/pingfederate_pingone_connection.md b/docs/exporting-configuration/plan-errors/pingfederate_pingone_connection.md new file mode 100644 index 00000000..bd245e18 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingfederate_pingone_connection.md @@ -0,0 +1,57 @@ +# Terraform Configuration Generation - PingFederate Plan Errors (pingfederate_pingone_connection) + +**Documentation**: +- [Terraform Registry - PingFederate pingone_connection](https://registry.terraform.io/providers/pingidentity/pingfederate/latest/docs/resources/pingone_connection#schema) +- [Terraform Registry - PingOne pingone_gateway_credential](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/gateway_credential) + +## Missing Configuration for Required Attribute - Must set a configuration value for the credential attribute as the provider has marked it as required + +**Cause**: The PingOne credential is not exported from PingFederate to maintain tenant security. + +**Resolution**: Manual modification is required to set the `credential` field in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingfederate_pingone_connection" "my_pingone_environment" { + # ... other configuration parameters + + credential = null # sensitive + name = "My PingOne Environment" +} +``` + +After manual modification, using a variable (`credential` is defined): +```hcl +resource "pingfederate_pingone_connection" "my_pingone_environment" { + # ... other configuration parameters + + credential = var.pingone_credential + name = "My PingOne Environment" +} +``` + +After manual modification, using the PingOne Terraform provider (`credential` is defined): +```hcl +resource "pingone_gateway" "my_awesome_pingfederate_gateway" { + environment_id = pingone_environment.my_environment.id + name = "Advanced Services SSO" + enabled = true + + type = "PING_FEDERATE" +} + +resource "pingone_gateway_credential" "foo" { + environment_id = pingone_environment.my_environment.id + gateway_id = pingone_gateway.my_awesome_pingfederate_gateway.id +} + +resource "pingfederate_pingone_connection" "my_pingone_environment" { + # ... other configuration parameters + + credential = pingone_gateway_credential.foo.credential + name = "My PingOne Environment" +} +``` + diff --git a/docs/exporting-configuration/plan-errors/pingone.md b/docs/exporting-configuration/plan-errors/pingone.md new file mode 100644 index 00000000..1110d2a9 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone.md @@ -0,0 +1,27 @@ +# Terraform Configuration Generation - PingOne Plan Errors + +The following sections describe the actions that must be taken, per resource, to resolve `terraform plan` errors following configuration generation. + +If you encounter an error that is not documented, please [raise a new issue](https://github.com/pingidentity/pingcli/issues/new?title=Undocumented%20PingOne%20Config%20Generation%20Error). + +## General (Any Resource) + +### Reference to undeclared resource - A managed resource "[any]" "[any]" has not been declared in the root module + +**Cause**: Terraform configuration has been generated with syntax errors. This is an issue with the Terraform CLI. + +**Resolution**: Upgrade the Terraform CLI to the latest version available and re-generate the HCL configuration. + +## Resource Plan Errors + +- [pingone_application](pingone_application.md) +- [pingone_branding_theme](pingone_branding_theme.md) +- [pingone_certificate](pingone_certificate.md) +- [pingone_forms_recapcha_v2](pingone_forms_recapcha_v2.md) +- [pingone_gateway](pingone_gateway.md) +- [pingone_identity_provider](pingone_identity_provider.md) +- [pingone_mfa_application_push_credential](pingone_mfa_application_push_credential.md) +- [pingone_notification_settings_email](pingone_notification_settings_email.md) +- [pingone_phone_delivery_settings](pingone_phone_delivery_settings.md) +- [pingone_schema_attribute](pingone_schema_attribute.md) +- [pingone_sign_on_policy_action](pingone_sign_on_policy_action.md) \ No newline at end of file diff --git a/docs/exporting-configuration/plan-errors/pingone_application.md b/docs/exporting-configuration/plan-errors/pingone_application.md new file mode 100644 index 00000000..0655cf54 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_application.md @@ -0,0 +1,11 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_application) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/application#nestedatt--saml_options) + +## Invalid Attribute Value Match - Attribute saml_options.type value must be one of: ["WEB_APP" "CUSTOM_APP"], got: "TEMPLATE_APP" + +**Cause**: Template applications are not supported in the PingOne provider version being used. + +**Resolution**: Upgrade the PingOne Terraform provider version. Further details can be found at https://github.com/pingidentity/terraform-provider-pingone/issues/841 + diff --git a/docs/exporting-configuration/plan-errors/pingone_branding_theme.md b/docs/exporting-configuration/plan-errors/pingone_branding_theme.md new file mode 100644 index 00000000..0eef1400 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_branding_theme.md @@ -0,0 +1,39 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_branding_theme) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/branding_theme#schema) + +## Invalid Attribute Combination - 2 attributes specified when one (and only one) of [background_color.<.background_color,background_color.<.use_default_background,background_color.<.background_image] is required + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to ensure only one of `background_color`, `use_default_background` or `background_image` is defined. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_branding_theme" "my_awesome_theme" { + # ... other configuration parameters + + background_color = null + background_image = { + href = "https://uploads.pingone.eu/environments/942b****-****-****-****-********985c/images/image.png" + id = "d4a1****-****-****-****-********ba9d" + } + use_default_background = false +} +``` + +After manual modification (`background_color` and `use_default_background` are removed): +```hcl +resource "pingone_branding_theme" "my_awesome_theme" { + # ... other configuration parameters + + background_image = { + href = "https://uploads.pingone.eu/environments/942b****-****-****-****-********985c/images/image.png" + id = "d4a1****-****-****-****-********ba9d" + } +} +``` + diff --git a/docs/exporting-configuration/plan-errors/pingone_certificate.md b/docs/exporting-configuration/plan-errors/pingone_certificate.md new file mode 100644 index 00000000..1372ba1c --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_certificate.md @@ -0,0 +1,33 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_certificate) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/certificate#schema) + +## Invalid combination of arguments - one of `pem_file,pkcs7_file_base64` must be specified + +**Cause**: Certificates are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set either `pem_file` or `pkcs7_file_base64` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_certificate" "my_awesome_cert" { + environment_id = "942b****-****-****-****-********985c" + pem_file = null + pkcs7_file_base64 = null + usage_type = "ENCRYPTION" +} +``` + +After manual modification (using PEM as an example, `pem_file` is defined): +```hcl +resource "pingone_certificate" "my_awesome_cert" { + environment_id = "942b****-****-****-****-********985c" + pem_file = file("../path/to/certificate.pem") + usage_type = "ENCRYPTION" +} +``` + + diff --git a/docs/exporting-configuration/plan-errors/pingone_forms_recapcha_v2.md b/docs/exporting-configuration/plan-errors/pingone_forms_recapcha_v2.md new file mode 100644 index 00000000..8c8d226f --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_forms_recapcha_v2.md @@ -0,0 +1,30 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_forms_recaptcha_v2) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/forms_recaptcha_v2#schema) + +## Missing Configuration for Required Attribute - Must set a configuration value for the secret_key attribute as the provider has marked it as required + +**Cause**: The reCaptcha v2 secret key is not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `secret_key` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_forms_recaptcha_v2" "my_awesome_recaptcha_configuration" { + environment_id = "942b****-****-****-****-********985c" + secret_key = null # sensitive + site_key = "6L****************-******************hp" +} +``` + +After manual modification (`secret_key` is defined): +```hcl +resource "pingone_forms_recaptcha_v2" "my_awesome_recaptcha_configuration" { + environment_id = "942b****-****-****-****-********985c" + secret_key = var.my_awesome_recaptcha_configuration_secret_key + site_key = "6L****************-******************hp" +} +``` diff --git a/docs/exporting-configuration/plan-errors/pingone_gateway.md b/docs/exporting-configuration/plan-errors/pingone_gateway.md new file mode 100644 index 00000000..a3cd5849 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_gateway.md @@ -0,0 +1,96 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_gateway) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/gateway#schema) + +## Invalid Attribute Combination - Attribute "bind_password" must be specified when "[bind_dn|connection_security|follow_referrals|servers|user_types|validate_tls_certificates|vendor]" is specified + +**Cause**: The LDAP bind password is not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `bind_password` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_gateway" "my_pingdirectory" { + # ... other configuration parameters + + bind_dn = "cn=administrator" + bind_password = null # sensitive + connection_security = "TLS" + follow_referrals = false + servers = ["my-directory:636"] + type = "LDAP" + user_types = { + # ... other configuration parameters + } + validate_tls_certificates = true + vendor = "PingDirectory" +} +``` + +After manual modification (`bind_password` is defined): +```hcl +resource "pingone_gateway" "my_pingdirectory" { + # ... other configuration parameters + + bind_dn = "cn=administrator" + bind_password = var.my_directory_pingdirectory_bind_dn + connection_security = "TLS" + follow_referrals = false + servers = ["my-directory:636"] + type = "LDAP" + user_types = { + # ... other configuration parameters + } + validate_tls_certificates = true + vendor = "PingDirectory" +} +``` + +## Missing required argument - The argument bind_password is required because type is configured as: "LDAP" + +**Cause**: The LDAP bind password is not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `bind_password` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_gateway" "my_pingdirectory" { + # ... other configuration parameters + + bind_dn = "cn=administrator" + bind_password = null # sensitive + connection_security = "TLS" + follow_referrals = false + servers = ["my-directory:636"] + type = "LDAP" + user_types = { + # ... other configuration parameters + } + validate_tls_certificates = true + vendor = "PingDirectory" +} +``` + +After manual modification (`bind_password` is defined): +```hcl +resource "pingone_gateway" "my_pingdirectory" { + # ... other configuration parameters + + bind_dn = "cn=administrator" + bind_password = var.my_directory_pingdirectory_bind_dn + connection_security = "TLS" + follow_referrals = false + servers = ["my-directory:636"] + type = "LDAP" + user_types = { + # ... other configuration parameters + } + validate_tls_certificates = true + vendor = "PingDirectory" +} +``` diff --git a/docs/exporting-configuration/plan-errors/pingone_identity_provider.md b/docs/exporting-configuration/plan-errors/pingone_identity_provider.md new file mode 100644 index 00000000..5a6991ba --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_identity_provider.md @@ -0,0 +1,368 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_identity_provider) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/identity_provider#schema) + +## Missing Configuration for Required Attribute - Must set a configuration value for the amazon.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `amazon.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "amazon" { + # ... other configuration parameters + + amazon = { + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`amazon.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "amazon" { + # ... other configuration parameters + + amazon = { + client_id = "********" + client_secret = var.identity_provider_amazon_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the apple.client_secret_signing_key attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `apple.client_secret_signing_key` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "apple" { + # ... other configuration parameters + + apple = { + client_id = "********" + client_secret_signing_key = null # sensitive + key_id = "********" + team_id = "********" + } +} +``` + +After manual modification (`apple.client_secret_signing_key` is defined): +```hcl +resource "pingone_identity_provider" "apple" { + # ... other configuration parameters + + apple = { + client_id = "********" + client_secret_signing_key = var.identity_provider_apple_client_secret + key_id = "********" + team_id = "********" + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the facebook.app_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `facebook.app_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "facebook" { + # ... other configuration parameters + + facebook = { + app_id = "********" + app_secret = null # sensitive + } +} +``` + +After manual modification (`facebook.app_secret` is defined): +```hcl +resource "pingone_identity_provider" "facebook" { + # ... other configuration parameters + + facebook = { + app_id = "********" + app_secret = var.identity_provider_facebook_app_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the github.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `github.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "github" { + # ... other configuration parameters + + github = { + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`github.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "github" { + # ... other configuration parameters + + github = { + client_id = "********" + client_secret = var.identity_provider_github_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the google.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `google.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "google" { + # ... other configuration parameters + + google = { + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`google.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "google" { + # ... other configuration parameters + + google = { + client_id = "********" + client_secret = var.identity_provider_google_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the linkedin.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `linkedin.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "linkedin" { + # ... other configuration parameters + + linkedin = { + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`linkedin.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "linkedin" { + # ... other configuration parameters + + linkedin = { + client_id = "********" + client_secret = var.identity_provider_linkedin_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the microsoft.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `microsoft.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "microsoft" { + # ... other configuration parameters + + microsoft = { + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`microsoft.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "microsoft" { + # ... other configuration parameters + + microsoft = { + client_id = "********" + client_secret = var.identity_provider_microsoft_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the openid_connect.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `openid_connect.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "openid_connect" { + # ... other configuration parameters + + openid_connect = { + # ... other configuration parameters + + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`openid_connect.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "openid_connect" { + # ... other configuration parameters + + openid_connect = { + # ... other configuration parameters + + client_id = "********" + client_secret = var.identity_provider_openid_connect_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the paypal.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `paypal.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "paypal" { + # ... other configuration parameters + + paypal = { + # ... other configuration parameters + + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`paypal.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "paypal" { + # ... other configuration parameters + + paypal = { + # ... other configuration parameters + + client_id = "********" + client_secret = var.identity_provider_paypal_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the twitter.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `twitter.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "twitter" { + # ... other configuration parameters + + twitter = { + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`twitter.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "twitter" { + # ... other configuration parameters + + twitter = { + client_id = "********" + client_secret = var.identity_provider_twitter_client_secret + } +} +``` + +## Missing Configuration for Required Attribute - Must set a configuration value for the yahoo.client_secret attribute as the provider has marked it as required. + +**Cause**: Client secrets for external identity providers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set `yahoo.client_secret` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_identity_provider" "yahoo" { + # ... other configuration parameters + + yahoo = { + client_id = "********" + client_secret = null # sensitive + } +} +``` + +After manual modification (`yahoo.client_secret` is defined): +```hcl +resource "pingone_identity_provider" "yahoo" { + # ... other configuration parameters + + yahoo = { + client_id = "********" + client_secret = var.identity_provider_yahoo_client_secret + } +} +``` diff --git a/docs/exporting-configuration/plan-errors/pingone_mfa_application_push_credential.md b/docs/exporting-configuration/plan-errors/pingone_mfa_application_push_credential.md new file mode 100644 index 00000000..19c32a02 --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_mfa_application_push_credential.md @@ -0,0 +1,36 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_mfa_application_push_credential) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/mfa_application_push_credential#schema) + +## Invalid Attribute Combination - No attribute specified when one (and only one) of [apns.<.fcm,apns.<.apns,apns.<.hms] is required + +**Cause**: Push credential values are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set one of `apns`, `fcm`, or `hms` in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_mfa_application_push_credential" "my_awesome_push_credential" { + apns = null + application_id = "71f7****-****-****-****-********dcd7" + environment_id = "942b****-****-****-****-********985c" + fcm = null + hms = null +} +``` + +After manual modification (using APNS as an example, `apns.key`, `apns.team_id` and `apns.token_signing_key` are defined): +```hcl +resource "pingone_mfa_application_push_credential" "my_awesome_push_credential" { + apns = { + key = var.apns_key + team_id = var.apns_team_id + token_signing_key = var.apns_token_signing_key + } + application_id = "71f7****-****-****-****-********dcd7" + environment_id = "942b****-****-****-****-********985c" +} +``` diff --git a/docs/exporting-configuration/plan-errors/pingone_notification_settings_email.md b/docs/exporting-configuration/plan-errors/pingone_notification_settings_email.md new file mode 100644 index 00000000..2b609edb --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_notification_settings_email.md @@ -0,0 +1,34 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_notification_settings_email) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/notification_settings_email#schema) + +## Missing Configuration for Required Attribute - Must set a configuration value for the password attribute as the provider has marked it as required. + +**Cause**: Passwords for email servers are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set the `password` field in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_notification_settings_email" "pingone_notification_settings_email" { + # ... other configuration parameters + + host = "smtp-example.bxretail.org" + password = null # sensitive + username = "test" +} +``` + +After manual modification (`password` is defined): +```hcl +resource "pingone_notification_settings_email" "pingone_notification_settings_email" { + # ... other configuration parameters + + host = "smtp-example.bxretail.org" + password = var.pingone_notification_settings_email_password + username = "test" +} +``` diff --git a/docs/exporting-configuration/plan-errors/pingone_phone_delivery_settings.md b/docs/exporting-configuration/plan-errors/pingone_phone_delivery_settings.md new file mode 100644 index 00000000..4e374ebf --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_phone_delivery_settings.md @@ -0,0 +1,47 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_phone_delivery_settings) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/phone_delivery_settings#password) + +## Missing required argument - The argument provider_custom.authentication.password is required because provider_custom.authentication.method is configured as: "BASIC" + +**Cause**: Password fields are not exported from PingOne to maintain tenant security. + +**Resolution**: Manual modification is required to set the `provider_custom.authentication.password` value in the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_phone_delivery_settings" "my_awesome_phone_delivery_settings" { + # ... other configuration parameters + + provider_custom = { + # ... other configuration parameters + + authentication = { + auth_token = null # sensitive + method = "BASIC" + password = null # sensitive + username = "myusername" + } + } +} +``` + +After manual modification (`provider_custom.authentication.password` is defined): +```hcl +resource "pingone_phone_delivery_settings" "my_awesome_phone_delivery_settings" { + # ... other configuration parameters + + provider_custom = { + # ... other configuration parameters + + authentication = { + method = "BASIC" + password = var.my_phone_delivery_settings_password + username = "myusername" + } + } +} +``` diff --git a/docs/exporting-configuration/plan-errors/pingone_schema_attribute.md b/docs/exporting-configuration/plan-errors/pingone_schema_attribute.md new file mode 100644 index 00000000..9daa15fb --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_schema_attribute.md @@ -0,0 +1,10 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_schema_attribute) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/schema_attribute) + +## Data Loss Protection - This field is immutable and cannot be changed once defined + +**Cause**: Terraform is looking to make a replacement change to a schema attribute, which will cause data to be lost. Data loss protections are invoked. + +**Resolution**: Manual modification is required to remove the resources from the generated HCL, or ensure that state is synchronised with the target platform. diff --git a/docs/exporting-configuration/plan-errors/pingone_sign_on_policy_action.md b/docs/exporting-configuration/plan-errors/pingone_sign_on_policy_action.md new file mode 100644 index 00000000..48afa20c --- /dev/null +++ b/docs/exporting-configuration/plan-errors/pingone_sign_on_policy_action.md @@ -0,0 +1,546 @@ +# Terraform Configuration Generation - PingOne Plan Errors (pingone_sign_on_policy_action) + +**Documentation**: +- [Terraform Registry](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/sign_on_policy_action) + +## Conflicting configuration arguments - "conditions.0.anonymous_network_detected": conflicts with [identifier_first|login] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `conditions.0.anonymous_network_detected` value from the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + anonymous_network_detected = false + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +After manual modification (`conditions.anonymous_network_detected` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +## Conflicting configuration arguments - "conditions.0.anonymous_network_detected_allowed_cidr": conflicts with [identifier_first|login] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `conditions.0.anonymous_network_detected_allowed_cidr` value from the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + anonymous_network_detected_allowed_cidr = [] + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +After manual modification (`conditions.anonymous_network_detected_allowed_cidr` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +## Conflicting configuration arguments - "conditions.0.geovelocity_anomaly_detected": conflicts with [identifier_first|login] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `conditions.0.geovelocity_anomaly_detected` value from the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + geovelocity_anomaly_detected = false + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +After manual modification (`conditions.geovelocity_anomaly_detected` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +## Conflicting configuration arguments - "conditions.0.ip_out_of_range_cidr": conflicts with [identifier_first|login] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `conditions.0.ip_out_of_range_cidr` value from the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + ip_out_of_range_cidr = [] + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +After manual modification (`conditions.ip_out_of_range_cidr` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +## Conflicting configuration arguments - "conditions.0.ip_reputation_high_risk": conflicts with [identifier_first|login] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `conditions.0.ip_reputation_high_risk` value from the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + ip_reputation_high_risk = false + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +After manual modification (`conditions.ip_reputation_high_risk` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +## Conflicting configuration arguments - "conditions.0.last_sign_on_older_than_seconds_mfa": conflicts with [identifier_first|login] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `conditions.0.last_sign_on_older_than_seconds_mfa` value from the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + last_sign_on_older_than_seconds_mfa = 0 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +After manual modification (`conditions.last_sign_on_older_than_seconds_mfa` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +## Conflicting configuration arguments - "conditions.0.last_sign_on_older_than_seconds": conflicts with conditions.0.last_sign_on_older_than_seconds_mfa + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to ensure only one of `conditions.0.last_sign_on_older_than_seconds` or `conditions.0.last_sign_on_older_than_seconds_mfa` is set in the generated configuration. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + last_sign_on_older_than_seconds_mfa = 0 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +After manual modification (`conditions.last_sign_on_older_than_seconds_mfa` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_identifier_first_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + last_sign_on_older_than_seconds = 604800 + } + + identifier_first { + # ... other configuration parameters + + recovery_enabled = true + discovery_rule { + attribute_contains_text = "@pingidentity.com" + identity_provider_id = "ad3a****-****-****-****-********ef83" + } + } +} +``` + +## Conflicting configuration arguments - "enforce_lockout_for_identity_providers": conflicts with [mfa|progressive_profiling] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `enforce_lockout_for_identity_providers` value from the generated HCL. + +**Example**: + +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + enforce_lockout_for_identity_providers = false + + progressive_profiling { + # ... other configuration parameters + + prompt_text = "For the best experience, we need a couple things from you." + } +} +``` + +After manual modification (`enforce_lockout_for_identity_providers` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + progressive_profiling { + # ... other configuration parameters + + prompt_text = "For the best experience, we need a couple things from you." + } +} +``` + +## Conflicting configuration arguments - "registration_confirm_user_attributes": conflicts with [mfa|progressive_profiling] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `registration_confirm_user_attributes` value from the generated HCL. + +**Example**: + +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + registration_confirm_user_attributes = false + + progressive_profiling { + # ... other configuration parameters + + prompt_text = "For the best experience, we need a couple things from you." + } +} +``` + +After manual modification (`registration_confirm_user_attributes` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + progressive_profiling { + # ... other configuration parameters + + prompt_text = "For the best experience, we need a couple things from you." + } +} +``` + +## Conflicting configuration arguments - "social_provider_ids": conflicts with [mfa|progressive_profiling] + +**Cause**: Due to a [Terraform configuration generation limitation](https://developer.hashicorp.com/terraform/language/import/generating-configuration#conflicting-resource-arguments), conflicting parameters are included in the generated HCL. + +**Resolution**: Manual modification is required to remove the `social_provider_ids` value from the generated HCL. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + social_provider_ids = [] + + progressive_profiling { + # ... other configuration parameters + + prompt_text = "For the best experience, we need a couple things from you." + } +} +``` + +After manual modification (`social_provider_ids` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + progressive_profiling { + # ... other configuration parameters + + prompt_text = "For the best experience, we need a couple things from you." + } +} +``` + +## expected last_sign_on_older_than_seconds_mfa to be at least (1), got 0 + +**Cause**: The `last_sign_on_older_than_seconds_mfa` value is not set in PingOne, and has been exported incorrectly as `0`. + +**Resolution**: Manual modification is required to remove the `last_sign_on_older_than_seconds_mfa` value from the generated HCL, or define a new value greater than `0`. + +**Example**: + +Generated configuration: +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + anonymous_network_detected = true + geovelocity_anomaly_detected = true + ip_reputation_high_risk = true + last_sign_on_older_than_seconds_mfa = 0 + } + mfa { + # ... other configuration parameters + + device_sign_on_policy_id = "7266****-****-****-****-********a5a9" + no_device_mode = "BLOCK" + } +} +``` + +After manual modification (`last_sign_on_older_than_seconds_mfa` is removed): +```hcl +resource "pingone_sign_on_policy_action" "my_awesome_progressive_profiling_action" { + # ... other configuration parameters + + conditions { + # ... other configuration parameters + + anonymous_network_detected = true + geovelocity_anomaly_detected = true + ip_reputation_high_risk = true + } + mfa { + # ... other configuration parameters + + device_sign_on_policy_id = "7266****-****-****-****-********a5a9" + no_device_mode = "BLOCK" + } +} +```