Bug Fix - Check OIDC is enabled in state to prevent drift

Author: joekr

examples/container_engine/oidc_authn_token_config_multi_issuers/main.tf

@@ -1,24 +1,19 @@
 // Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
 // Licensed under the Mozilla Public License v2.0
 
-variable "tenancy_ocid" {
-}
+variable "tenancy_ocid" {}
 
-variable "user_ocid" {
-}
+variable "user_ocid" {}
 
-variable "compartment_ocid" {
-}
+variable "compartment_ocid" {}
 
 variable "region" {
   default = "us-ashburn-1"
 }
 
-variable "kms_vault_id" {
-}
+variable "kms_vault_id" {}
 
-variable "compartment_id" {
-}
+variable "compartment_id" {}
 
 variable "cluster_cluster_pod_network_options_cni_type" {
   default = "OCI_VCN_IP_NATIVE"
@@ -231,6 +226,13 @@ data "oci_containerengine_cluster" "test_cluster_multi_issuer" {
   should_include_oidc_config_file = var.cluster_should_include_oidc_config_file
 }
 
+output "cluster_id" {
+  value = data.oci_containerengine_cluster.test_cluster_multi_issuer.cluster_id
+}
+output "configFile" {
+  value = data.oci_containerengine_cluster.test_cluster_multi_issuer.should_include_oidc_config_file
+}
+
 data "oci_containerengine_clusters" "test_clusters" {
   #Required
   compartment_id = var.compartment_ocid

internal/service/containerengine/containerengine_cluster_resource.go

@@ -962,9 +962,10 @@ func (s *ContainerengineClusterResourceCrud) Get() error {
 	tmp := s.D.Id()
 	request.ClusterId = &tmp
 
-	if shouldIncludeOidcConfigFile, ok := s.D.GetOkExists("should_include_oidc_config_file"); ok {
-		tmp := shouldIncludeOidcConfigFile.(bool)
-		request.ShouldIncludeOidcConfigFile = &tmp
+	if getOIDCEnabledFromState(s.D) {
+		shouldInclude := true
+		request.ShouldIncludeOidcConfigFile = &shouldInclude
+		log.Printf("[DEBUG] Setting ShouldIncludeOidcConfigFile to true based on state.")
 	}
 
 	request.RequestMetadata.RetryPolicy = tfresource.GetRetryPolicy(s.DisableNotFoundRetries, "containerengine")
@@ -2059,3 +2060,31 @@ func ServiceLbConfigDetailsToMap(obj *oci_containerengine.ServiceLbConfigDetails
 
 	return result
 }
+
+func getOIDCEnabledFromState(d *schema.ResourceData) bool {
+	isEnabled := false
+
+	// Check if OIDC is enabled in state
+	// location "options.0.open_id_connect_token_authentication_config.0.is_open_id_connect_auth_enabled"
+	if options, ok := d.GetOkExists("options"); ok {
+		if optionsList := options.([]interface{}); len(optionsList) > 0 {
+			// Safe to use [0] since MaxItems: 1, but let's be explicit
+			optionsMap := optionsList[0].(map[string]interface{})
+
+			if oidcConfig, exists := optionsMap["open_id_connect_token_authentication_config"]; exists {
+				if oidcList := oidcConfig.([]interface{}); len(oidcList) > 0 {
+					// Again, safe to use [0] since MaxItems: 1
+					oidcMap := oidcList[0].(map[string]interface{})
+
+					if enabled, exists := oidcMap["is_open_id_connect_auth_enabled"]; exists {
+						if enabledBool, ok := enabled.(bool); ok && enabledBool {
+							isEnabled = true
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return isEnabled
+}