Changes to OIDC IDP's affects Profile overrides on Okta user attributes

[vignesh-okta]

@monde When there are changes made to okta_idp_oidc resource, and there is a corresponding attribute set to OVERRIDE from this IDP, the OVERRIDE status is lost on the attribute and switches to Inherit from Profile Source.

Root Cause
The Terraform provider is making updates to the IDP without the status parameter on the body and hence, it deactivates the existing IDP. It then makes a subsequent API call to activate the IDP. During the deactivation, the attribute set to be OVERRIDDEN is switched to Inherit from Profile Source automatically as the IDP no longer exists

Logs

During updates, it sends a PUT without status as "ACTIVE" and hence it deactivates the IDP in Okta

PUT /api/v1/idps/0oa7n*** HTTP/1.1
Host: acme.oktapreview.com
User-Agent: okta-sdk-golang/2.17.0 golang/go1.20.2 darwin/amd64 okta-terraform/3.45.0
Content-Length: 1106
Accept: application/json
Authorization: SSWS ***
Content-Type: application/json
Accept-Encoding: gzip

{
 "issuerMode": "CUSTOM_URL",
 "name": "IdP - Test",
 "policy": {
  "accountLink": {
   "action": "AUTO"
  },
  "maxClockSkew": 0,
  "provisioning": {
   "action": "AUTO",
   "conditions": {
    "deprovisioned": {
     "action": "NONE"
    },
    "suspended": {
     "action": "NONE"
    }
   },
   "groups": {
    "action": "ASSIGN",
    "assignments": [
     "00g7nb2fdrOSC***7",
     "00g7nb3****d7"
    ]
   },
   "profileMaster": true
  },
  "subject": {
   "matchType": "USERNAME_OR_EMAIL",
   "userNameTemplate": {
    "template": "idpuser.email"
   }
  }
 },
 "protocol": {
  "algorithms": {
   "request": {
    "signature": {
     "algorithm": "HS256",
     "scope": "NONE"
    }
   }
  },
  "credentials": {
   "client": {
    "client_id": "***",
    "client_secret": "***"
   }
  },
  "endpoints": {
   "authorization": {
    "binding": "HTTP-REDIRECT",
    "url": "https://login.salesforce.com/services/oauth2/authorize"
   },
   "jwks": {
    "binding": "HTTP-REDIRECT",
    "url": "https://login.salesforce.com/id/keys"
   },
   "token": {
    "binding": "HTTP-POST",
    "url": "https://login.salesforce.com/services/oauth2/token"
   },
   "userInfo": {
    "binding": "HTTP-REDIRECT",
    "url": "https://login.salesforce.com/services/oauth2/userinfo"
   }
  },
  "issuer": {
   "url": "https://login.salesforce.com"
  },
  "scopes": [
   "openid"
  ],
  "type": "OIDC"
 },
 "type": "OIDC"
}

It then makes a call to activate the IDP

POST /api/v1/idps/0oa7n***/lifecycle/activate HTTP/1.1
Host: acme.oktapreview.com
User-Agent: okta-sdk-golang/2.17.0 golang/go1.20.2 darwin/amd64 okta-terraform/3.45.0
Content-Length: 0
Accept: application/json
Authorization: SSWS ***
Accept-Encoding: gzip

I believe that the Go SDK supports passing the status on the body of the request but the Terraform provider is not leveraging that and instead making a separate call to activate/deactivate after the initial update. Please fix this as this is critical for a customer Go-Live and any changes to the IDP through Terraform breaks the attribute sourced by it.

[monde]

@duytiennguyen-okta fixed this in #1524