okta_app_signon_policy is forced replaced due to catch_all in v4.13.0 and panics while recreating policy leaving tenant without valid policy rules

[asiyani]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

❯ terraform -v
Terraform v1.10.4
on linux_amd64
+ provider registry.terraform.io/okta/okta v4.13.0

Affected Resource(s)

• okta_app_signon_policy
• okta_app_signon_policy_rule (due to policy reference)

Terraform Configuration Files

resource "okta_app_signon_policy" "bug_policy" {
  name        = "bug report"
  description = "Authentication Policy created for bug report."
}


resource "okta_app_signon_policy_rule" "bug_policy_rule" {
  policy_id   = okta_app_signon_policy.bug_policy.id
  name        = "bug report"
  factor_mode = "2FA"
  constraints = [
    jsonencode({
      "knowledge" : {
        required = true
        "types" : ["password"]
      },
    })
  ]
}

Debug Output

Terraform will perform the following actions:

  # okta_app_signon_policy.bug_policy must be replaced
-/+ resource "okta_app_signon_policy" "bug_policy" {
      + catch_all       = true # forces replacement
      + default_rule_id = (known after apply)
      ~ id              = "rst9vyrpoolSDnDe40x7" -> (known after apply)
        name            = "bug report"
        # (1 unchanged attribute hidden)
    }

  # okta_app_signon_policy_rule.bug_policy_rule must be replaced
-/+ resource "okta_app_signon_policy_rule" "bug_policy_rule" {
      ~ constraints                 = [
          ~ jsonencode( # whitespace changes
                {
                    knowledge = {
                        required = true
                        types    = [
                            "password",
                        ]
                    }
                }
            ),
        ]
      ~ id                          = "rul9vyrozowvA2nF60x7" -> (known after apply)
        name                        = "bug report"
      ~ policy_id                   = "rst9vyrpoolSDnDe40x7" -> (known after apply) # forces replacement
      - priority                    = 0 -> null
      ~ risk_score                  = "ANY" -> (known after apply)
      ~ system                      = false -> (known after apply)
      - user_types_excluded         = [] -> null
      - user_types_included         = [] -> null
      - users_excluded              = [] -> null
      - users_included              = [] -> null
        # (7 unchanged attributes hidden)
    }

Plan: 2 to add, 0 to change, 2 to destroy.

Panic Output

https://gist.github.com/asiyani/1c0a9fb8f17ef36ab29966233b3ff53c

Expected Behavior

When upgrading provider policies created by old version should not be recreated.
Also there should not be a panic while deleting policy.

Can this be done in the Admin UI? N/A

Can this be done in the actual API call? N/A

Actual Behavior

After updating otka provider version, all okta_app_signon_policy are
force recreated causing all okta_app_signon_policy_rule re-created as well.
adding catch_all with true or false has no effect on force replacement.

When applied it actually panics while creating policy hence leaving policy with
default rule potentially locking out admins/users

Steps to Reproduce

1. create okta_app_signon_policy and okta_app_signon_policy_rule resources
   using old provider version 4.12.0
2. update provider to v4.13.0
3. rm -rf .terraform.lock.hcl .terraform && terraform init && terraform plan
4. plan output will show force replacement "Plan: 2 to add, 0 to change, 2 to destroy."
5. run terraform apply which will result in panic

Important Factoids

we are using API Services APP (scoped OAuth 2.0 access tokens) to run terraform applier with following ENVs.

export OKTA_API_CLIENT_ID=0oaxxxxxxxxxxxxxxx7
export OKTA_API_PRIVATE_KEY=path/to/private.key
export OKTA_API_SCOPES=okta.apps.read,okta.authenticators.manage,okta.authorizationServers.manage,okta.factors.manage,okta.groups.manage,okta.networkZones.manage,okta.policies.manage,okta.profileMappings.manage,okta.roles.manage,okta.schemas.manage,okta.users.read

References

• #0000

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-857039

[SergiyDivnych]

This is a bug with Okta provider in version 4.13.0, and works fine with version 4.12.0

[duytiennguyen-okta]

Close with #2188