Policies Created Before 4.13.0 Errs When Updating

[south-mer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.10.5
on darwin_arm64
+ provider registry.terraform.io/okta/okta v4.13.1

Affected Resource(s)

• okta_app_signon_policy

Terraform Configuration Files

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "4.13.1"
    }
  }
}

# provider "okta" {
#   org_name  = "<REDACTED>"
#   base_url  = "okta.com"
#   api_token = "<REDACTED>"
# }

# Memo: comment out the following block after the policy is created
resource "okta_app_signon_policy" "policy" {
  name        = "test_policy"
  description = "Test policy"
}

Debug Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # okta_app_signon_policy.policy will be updated in-place
  ~ resource "okta_app_signon_policy" "policy" {
      + catch_all       = true
      + default_rule_id = (known after apply)
        id              = "<REDACTED_POLICY_ID>"
        name            = "test_policy"
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

okta_app_signon_policy.policy: Modifying... [id=<REDACTED_POLICY_ID>]
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for okta_app_signon_policy.policy.default_rule_id. All values must be known after apply, so this is always a bug in the
│ provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.
╵

Panic Output

N/A

Expected Behavior

The policy update should be performed successfully without failure.

Can this be done in the Admin UI?

Yes: policy updating is possible

Can this be done in the actual API call?

Yes: policy updating through console is still possible and updating in 4.12.0 also works

Actual Behavior

The policy update is successful, but the Terraform apply fails.

default_rule_id is marked as computed, but is not computed when Update is performed.
(If the policy is created in 4.13.0+, then the field is filled when Create is called. However, if it is created before 4.13.0, then the field remains unknown.)

Steps to Reproduce

1. terraform apply the given Terraform code in provider version 4.12.0.
2. Change the code to use provider 4.13.1.
3. terraform init -upgrade and terraform apply.
4. See that the apply fails with the error in the Debug Output above.

Important Factoids

N/A

References

• Related to feature added in add support for catch_all = deny #2153
• This has the same root reason as okta_app_signon_policy > catch_all problems after update from 4.11 to 4.13.1 #2197. However, this issue also covers the changes after upgrading.