Identity provider URL update behavior doesn't match UI

[keeganwitt]

If you change the provider URL (for example maybe you migrated the provider URL or are moving from one provider to another), it forces the re-creation of all the identity pools using that identity provider. However, f you make this change via the Confluent Cloud console, it doesn't force this update. As an example, changing my_provider's JWKS and/or issuer URL(s) will re-create my_pool.

resource "confluent_identity_provider" "my_provider" {
  display_name = "My OIDC Provider"
  description  = "OIDC provider for workload authentication"
  issuer       = "https://example.com"
  jwks_uri     = "https://example.com/jwks"
}

resource "confluent_identity_pool" "my_pool" {
  identity_provider {
    id = resource.my_provider.id
  }
  display_name   = "My Identity Pool"
  description    = "Identity pool for workload authentication"
  identity_claim = "claims.sub"
  filter         = "claims.aud==\"confluent.cloud\"&&claims.sub == \"spiffe://example.com/ns/my-namespace/sa/my-service-account\""
}

This is because of

terraform-provider-confluent/internal/provider/resource_identity_provider.go

Lines 75 to 77 in bef388c

	if d.HasChangesExcept(paramDisplayName, paramDescription) {
	return diag.Errorf("error updating Identity Provider %q: only %q, %q attributes can be updated for Identity Provider", d.Id(), paramDisplayName, paramDescription)
	}

and

terraform-provider-confluent/internal/provider/resource_identity_pool.go

Lines 76 to 78 in bef388c

	if d.HasChangesExcept(paramDisplayName, paramDescription, paramIdentityClaim, paramFilter) {
	return diag.Errorf("error updating Identity Pool %q: only %q, %q, %q, %q attributes can be updated for Identity Pool", d.Id(), paramDisplayName, paramDescription, paramIdentityClaim, paramFilter)
	}

[linouk23]

@keeganwitt, thanks for creating the issue!

It seems like the issue is very similar to

• APIT-2981: Updated the service account resource to support changes to the display_name attribute, alongside the description. #588
• APIT-2593: Allow updates to filter attribute for Group Mapping without forcing resource re-creation #587

All contributions are welcome! Would you be interested in creating a PR on your own?

[keeganwitt]

I lost track of this thread. But it looks like @sgagniere beat me to it. Thanks!

[linouk23]

@keeganwitt this PR has been released the latest version of TF Provider for Confluent (2.26.0), thank you!