Configuration Automation - Terraform

Frequently Asked Questions

How do I export configuration from a previously configured environment?

You can export configuration from a PingOne environment using a combination of Ping CLI and Terraform CLI tools.

Learn more in Exporting Terraform configuration.

How do I bring a previously configured environment under Terraform management?

You can bring any environment that has been configured without using Terraform under Terraform management using a combination of Ping CLI and Terraform CLI tools.

Learn more in Importing to Terraform state.

I cannot create a workforce-enabled environment or where can I Terraform creation of a PingID-enabled environment?

The PingOne provider does not yet support creation of a PingID-enabled workforce environment. You can track the list of known issues and provider limitations on the project’s GitHub.

I’ve created a new environment with Terraform, but my admins can’t see it

Check the admin user’s role permissions. The admin user must have any of the following roles to see the new environment in the list of environments:

  • Organization Admin

  • Environment Admin

  • Identity Data Admin

  • Client Application Developer

  • Identity Data Read Only

  • Configuration Read Only

Refer to the Admin Role Management Considerations guide for details on role assignment and considerations for admin role management when using Terraform.

I’ve created a new environment or population with Terraform, but my admins can’t view users, or manage group or population based configuration

Check the admin user’s role permissions. The admin user must have any of the following roles to be able to view and manage identity data and configuration:

  • Identity Data Admin

  • Identity Data Read Only

Refer to the Admin Role Management Considerations guide for details on role assignment and considerations for admin role management when using Terraform.

I get an error "Actor does not have permissions to access worker application client secrets"

Admin actors (users, worker applications, connections) might not be able to view or rotate a worker application’s secret when they could previously as an unexpected change of behavior.

The change in ability to manage a worker application’s client secret typically occurs when the worker application is granted additional role permissions that the user, admin worker application, or connection doesn’t have. The worker application whose secret cannot be managed has a higher level of privilege to manage configuration and data within the tenant. The ability to view and change the secret is therefore restricted to mitigate privilege escalation issues where admin actors could potentially use the higher privileged worker application to make changes they aren’t authorized to make in the platform.

You can find more information and guidance on how to resolve this error in Admin Role Management Considerations.

Why doesn’t the PingOne DaVinci Flow resource use a JSON export?

The PingOne Terraform provider supports DaVinci Flow resources as complete HCL representations instead of referencing a JSON export for a number of reasons:

  • Difference reviewing: The schema of attributes under graph_data is a map. This alleviates situations where the platform returns an export in which the ordering of nodes changes and makes a file comparison difficult. This format simplifies review of identified changes within a terraform plan rather than file comparisons for flow configuration changes. These differences should be more precise and easier to follow.

  • Dependency mapping: With the flow represented in HCL, the process for adding references to other resources can use native Terraform dependencies (for example, a Flow node’s connection_id can point directly to a managed connection).

  • Direct configuration changes: Changing a DaVinci flow in JSON is complex and error-prone. HCL provides an easier to read format and more access to Terraform’s native functions.

  • Sensitive attributes: This format allows for specific attributes (for example, node properties) to be marked sensitive, rather than the entire flow.

  • API alignment: In general, all provider resource schemas intend to match the documented APIs for more direct reliance on API contracts and prevention of breaking changes.

PingOne DaVinci Flows can grow to be very large in both the UI and JSON representation. Converting a Flow’s JSON export to HCL can be challenging, and you should use the Ping CLI Terraformer plugin for this conversion. The Manage an Existing PingOne DaVinci Environment^ guide shows how to use this tool with a configured environment.

Why do I see a planned change after import even when the defined configuration matches live infrastructure?

The PingOne API doesn’t allow reading attributes that are considered secrets. For these fields, the Terraform provider only looks for mismatches between what’s stored in state and what’s defined in configuration, rather than refreshing state against live infrastructure. The terraform import command stores obfuscated values for these fields in Terraform state, and the identified change directs the Terraform provider to run an API PUT to bring the resource into alignment.