Deleting App Sign-on Policy Fails in 4.13.0 and 4.13.1

[south-mer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.10.5
on darwin_arm64
+ provider registry.terraform.io/okta/okta v4.13.1

Affected Resource(s)

• okta_app_signon_policy

Terraform Configuration Files

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "4.13.1"
    }
  }
}

# provider "okta" {
#   org_name  = "<REDACTED>"
#   base_url  = "okta.com"
#   api_token = "<REDACTED>"
# }

# Memo: comment out the following block after the policy is created
resource "okta_app_signon_policy" "policy" {
  name        = "test_policy"
  description = "Test policy"
}

Debug Output

okta_app_signon_policy.policy: Refreshing state... [id=<REDACTED_POLICY_ID>]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # okta_app_signon_policy.policy will be destroyed
  # (because okta_app_signon_policy.policy is not in configuration)
  - resource "okta_app_signon_policy" "policy" {
      - catch_all   = true -> null
      - description = "Test policy" -> null
      - id          = "<REDACTED_POLICY_ID>" -> null
      - name        = "test_policy" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Panic Output

╷
│ Error: Plugin did not respond
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-okta_v4.13.1 plugin:

panic: interface conversion: interface is nil, not okta.OktaApp

goroutine 61 [running]:
github.com/okta/terraform-provider-okta/okta.(*appSignOnPolicyResource).Delete(0x14000786030, {0x10668ac58, 0x1400034f650}, {{{{0x106690220, 0x1400074c660}, {0x106332ba0, 0x1400074c4b0}}, {0x106692f50, 0x140007a1590}}, {{{0x0, ...}, ...}, ...}, ...}, ...)
        github.com/okta/terraform-provider-okta/okta/resource_okta_app_signon_policy.go:234 +0x41c
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).DeleteResource(0x140002791e0, {0x10668ac58, 0x1400034f650}, 0x140004df408, 0x140007633b8)
        github.com/hashicorp/[email protected]/internal/fwserver/server_deleteresource.go:100 +0x4ec
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).ApplyResourceChange(0x140004df5a0?, {0x10668ac58, 0x1400034f650}, 0x1400027ebe0, 0x140007635a0)
        github.com/hashicorp/[email protected]/internal/fwserver/server_applyresourcechange.go:79 +0x248
github.com/hashicorp/terraform-plugin-framework/internal/proto6server.(*Server).ApplyResourceChange(0x140002791e0, {0x10668ac58?, 0x1400034f470?}, 0x1400027eaa0)
        github.com/hashicorp/[email protected]/internal/proto6server/server_applyresourcechange.go:55 +0x314
github.com/hashicorp/terraform-plugin-mux/tf6to5server.v6tov5Server.ApplyResourceChange({{0x106693938?, 0x140002791e0?}}, {0x10668ac58, 0x1400034f470}, 0x0?)
        github.com/hashicorp/[email protected]/tf6to5server/tf6to5server.go:59 +0x58
github.com/hashicorp/terraform-plugin-mux/tf5muxserver.(*muxServer).ApplyResourceChange(0x10668ac90?, {0x10668ac58?, 0x1400034edb0?}, 0x1400027ea50)
        github.com/hashicorp/[email protected]/tf5muxserver/mux_server_ApplyResourceChange.go:36 +0x184
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x140002a8e60, {0x10668ac58?, 0x1400034e2a0?}, 0x14000232000)
        github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:846 +0x2b0
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1065bcc40?, 0x140002a8e60}, {0x10668ac58, 0x1400034e2a0}, 0x14000028200, 0x0)
        github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:518 +0x164
google.golang.org/grpc.(*Server).processUnaryRPC(0x140001b5200, {0x10668ac58, 0x14000570300}, {0x106691498, 0x140001c6180}, 0x1400056c900, 0x1400048ba70, 0x107566938, 0x0)
        google.golang.org/[email protected]/server.go:1369 +0xba0
google.golang.org/grpc.(*Server).handleStream(0x140001b5200, {0x106691498, 0x140001c6180}, 0x1400056c900)
        google.golang.org/[email protected]/server.go:1780 +0xc80
google.golang.org/grpc.(*Server).serveStreams.func2.1()
        google.golang.org/[email protected]/server.go:1019 +0x8c
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 15
        google.golang.org/[email protected]/server.go:1030 +0x150

Error: The terraform-provider-okta_v4.13.1 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Expected Behavior

The policy should be deleted successfully.

Can this be done in the Admin UI?

Yes: policy deletion is possible

Can this be done in the actual API call?

Yes: policy deletion through console is still possible, and deletion in 4.12.0 still works

Actual Behavior

The Terraform provider panics due to a cast from nil to okta.OktaApp when enumerating apps with the given app sign-on policy.

Steps to Reproduce

1. terraform apply the given Terraform code. (Use provider version 4.13.1)
2. Comment out the okta_app_signon_policy.
3. terraform apply again.
4. See that the apply fails and the provider crashes.

Important Factoids

N/A

References

• This is the same problem as the later half as okta_app_signon_policy is forced replaced due to catch_all in v4.13.0 and panics while recreating policy leaving tenant without valid policy rules #2182, which is closed.