oci_identity_domains_dynamic_resource_group update triggers in reapply due to CreatedBy/CreatedOn metadata tag detection #2418
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version and Provider Version
Terraform version: 1.5.x
hashicorp/oci v7.10.0
Affected Resource(s)
oci_identity_domains_dynamic_resource_group
Terraform Configuration Files
resource "oci_identity_domains_dynamic_resource_group" "operator_instance_dynamic_group" {
provider = oci.home
idcs_endpoint = local.default_domain_url
display_name = local.operator_instance_dynamic_group_name
# matching_rule = "any{All {instance.compartment.id = '${local.sbc_compartment_ocid}', tag.${var.oci_resource_tag_namespace}.operator_instance.value='true'}}"
matching_rule = "instance.id = '${oci_core_instance.operator_instance.id}'"
schemas = ["urn:ietf:params:scim:schemas:oracle:idcs:DynamicResourceGroup"]
urnietfparamsscimschemasoracleidcsextension_oci_tags {
defined_tags {
key = regex("(?P<namespace>[^.]+)\\.(?P<key>.+)", keys(var.oci_resource_tag.definedTags)[0]).key
namespace = regex("(?P<namespace>[^.]+)\\.(?P<key>.+)", keys(var.oci_resource_tag.definedTags)[0]).namespace
value = values(var.oci_resource_tag.definedTags)[0]
}
}
depends_on = [
oci_core_instance.operator_instance
]
}
terraform {
required_providers {
oci = {
source = "hashicorp/oci"
version = ">= 7.10.0"
}
}
}
provider oci {
region = var.region
# https://docs.oracle.com/en-us/iaas/Content/dev/terraform/troubleshooting.htm#default-tags-deleted
# Sometimes, the OCI Terraform provider can unexpectedly delete existing tag defaults from a resource when running terraform apply.
# This issue affects the Oracle-Tags automatic tag defaults in particular. As a work around, you can set the
# ignore_defined_tags attribute in the provider block to list out keys of the defined tags that Terraform will ignore as part of plan or apply.
ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"]
}
provider oci {
alias = "home"
region = var.home_region
ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"]
}Debug Output
https://gist.github.com/mshannongit/4bdead83abc73fd1be04256bf0396992
Expected Behavior
Due to the use of the provider-level ignore_defined_tags, we would have expected no update of the dynamic group to be determined as being required in follow-up terraform applies simply as a result of Oracle adding CreatedBy/CreatedOn custom defined tags to the resource in the background.
ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"]
Actual Behavior
Terraform OCI provider detected a change in state of the dynamic resource group resource and triggered an update which failed - likely as the user invoking the update is not a tenant administrator
The User running the terraform is not a tenant administrator, but is granted {DYNAMIC_GROUP_CREATE / DYNAMIC_GROUP_UPDATE / DYNAMIC_GROUP_DELETE} in tenancy
Steps to Reproduce
Create new user and group in OCI Identity Domain
Grant this group {DYNAMIC_GROUP_CREATE / DYNAMIC_GROUP_UPDATE / DYNAMIC_GROUP_DELETE} in tenancy
e.g.
Allow group 'Default'/'TESTGROUP' {DYNAMIC_GROUP_CREATE, DYNAMIC_GROUP_UPDATE, DYNAMIC_GROUP_DELETE} in tenancy
Run terraform and plan/apply to provision new dynamic group leveraging this new user using oci_identity_domains_dynamic_resource_group
Re-apply the terraform and you will see it detects an update as being required to the dynamic group
Oracle #terraform-users slack post - https://proddev-paas-fmw.slack.com/archives/C86C2Q8TS/p1753101142418489