Configuration Automation - Terraform

Frequently Asked Questions

How do I export configuration from a previously configured environment?

You can export configuration from a PingOne environment using a combination of Ping CLI and Terraform CLI tools.

Learn more in Exporting Terraform configuration.

How do I bring a previously configured environment under Terraform management?

You can bring any environment that has been configured without using Terraform under Terraform management using a combination of Ping CLI and Terraform CLI tools.

Learn more in Importing to Terraform state.

I cannot create a workforce-enabled environment or where can I Terraform creation of a PingID-enabled environment?

The PingOne provider does not yet support creation of a PingID-enabled workforce environment. You can track the list of known issues and provider limitations on the project’s GitHub.

I’ve created a new environment with Terraform, but my admins can’t see it

Check the admin user’s role permissions. The admin user must have any of the following roles to see it in the list of environments:

  • Organization Admin

  • Environment Admin

  • Identity Data Admin

  • Client Application Developer

  • Identity Data Read Only

  • Configuration Read Only

Refer to the Admin Role Management Considerations guide for details on role assignment and considerations for admin role management when using Terraform.

I’ve created a new environment or population with Terraform, but my admins can’t view users, or manage group or population based configuration

Check the admin user’s role permissions. The admin user must have any of the following roles to be able to view and manage identity data and configuration:

  • Identity Data Admin

  • Identity Data Read Only

Refer to the Admin Role Management Considerations guide for details on role assignment and considerations for admin role management when using Terraform.

I get an error "Actor does not have permissions to access worker application client secrets"

Admin actors (users, worker applications, connections) might not be able to view or rotate a worker application’s secret when they could previously as an unexpected change of behavior.

The change in ability to manage a worker application’s client secret typically occurs when the worker application is granted additional role permissions that the user, admin worker application, or connection doesn’t have. The worker application whose secret cannot be managed has a higher level of privilege to manage configuration and data within the tenant. The ability to view and change the secret is therefore restricted to mitigate privilege escalation issues where admin actors could potentially use the higher privileged worker application to make changes they aren’t authorized to make in the platform.

You can find more information and guidance on how to resolve this error in Admin Role Management Considerations.