okta_app_oauth: unable to remove existing groups_claim

[dethmetaljeff]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

❯ terraform -v
Terraform v1.6.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.49.0
+ provider registry.terraform.io/okta/okta v4.6.1

Affected Resource(s)

• okta_app_oauth

Terraform Configuration Files

variable "okta_oauth_apps" {
  type = list(object({
    api_scopes     = optional(list(string), [])
    consent_method = optional(string, "TRUSTED")
    grant_types    = optional(list(string), ["authorization_code", "refresh_token"])
    groups         = optional(list(string), [])
    groups_claim = optional(object({
      name        = string
      type        = string
      filter_type = string
      value       = string
    }), null)
    issuer_mode    = optional(string, "ORG_URL")
    label          = string
    login_mode     = optional(string, "DISABLED")
    login_uri      = string
    logo           = optional(string, "")
    name           = string
    omit_secret    = optional(bool, false)
    redirect_uris  = list(string)
    response_types = optional(list(string), ["code"])
    type           = optional(string, "web")
  }))
}

resource "okta_app_oauth" "app" {

  for_each = {
    for index, app in var.okta_oauth_apps : app.name => app
  }

  consent_method = each.value.consent_method
  grant_types    = each.value.grant_types
  issuer_mode    = each.value.issuer_mode
  label          = each.value.label
  login_uri      = each.value.login_uri
  logo           = each.value.logo
  omit_secret    = each.value.omit_secret
  redirect_uris  = each.value.redirect_uris
  response_types = each.value.response_types
  type           = each.value.type

  dynamic "groups_claim" {
    for_each = each.value.groups_claim != null ? [each.value.groups_claim] : []
    content {
      filter_type = groups_claim.value.filter_type
      name        = groups_claim.value.name
      type        = groups_claim.value.type
      value       = groups_claim.value.value
    }
  }
}

data "okta_group" "group" {
  for_each = toset(flatten([for app in var.okta_oauth_apps : app.groups]))
  name     = each.value
}

resource "okta_app_group_assignments" "app" {
  for_each = {
    for index, app in var.okta_oauth_apps : app.name => app
  }
  app_id = okta_app_oauth.app[each.value.name].id
  dynamic "group" {
    for_each = toset(each.value.groups)
    content {
      id = data.okta_group.group[group.key].id
    }
  }
}

resource "okta_app_oauth_api_scope" "app" {
  for_each = {
    for index, app in var.okta_oauth_apps : app.name => app if length(app.api_scopes) > 0
  }
  app_id = okta_app_oauth.app[each.value.name].id
  issuer = "https://XXXXX.okta.com"
  scopes = each.value.api_scopes
}

Expected Behavior

groups_claim removed from oauth app

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

I don't know

Actual Behavior

groups_claim remains set

Steps to Reproduce

1. terraform apply
2. terraform apply <~ you'll see changes are still listed

❯ terraform apply
module.okta-apps.data.okta_group.group["Technical Operations"]: Reading...
module.okta-apps.data.okta_group.group["dev-oncall"]: Reading...
module.okta-apps.data.okta_group.group["Network Engineering"]: Reading...
module.okta-apps.data.okta_group.group["Infrastructure"]: Reading...
module.okta-apps.data.okta_group.group["Development"]: Reading...
module.okta-apps.okta_app_oauth.app["nomad-sec1"]: Refreshing state... [id=0oa9pkxakmuOfVojF357]
module.okta-apps.okta_app_oauth.app["backuppc-aur1"]: Refreshing state... [id=0oaa3m0ebsLzVxGlS357]
module.okta-apps.okta_app_oauth.app["backuppc-sec1"]: Refreshing state... [id=0oa8yzaps3F9Be3ei357]
module.okta-apps.okta_app_oauth.app["librenms-sec1"]: Refreshing state... [id=0oa7sqxd8yorkvP0k357]
module.okta-apps.okta_app_oauth.app["nomad-aur1"]: Refreshing state... [id=0oadkra34aCEtgcCI357]
module.okta-apps.data.okta_group.group["Network Engineering"]: Read complete after 0s [id=00gaycsyxbygu4E4i357]
module.okta-apps.data.okta_group.group["dev-oncall"]: Read complete after 0s [id=00ga71whmz9lDWMWQ357]
module.okta-apps.okta_app_oauth.app["consul-sec1"]: Refreshing state... [id=0oaf2ba5qyA4bZ0Cq357]
module.okta-apps.okta_app_oauth.app["consul-aur1"]: Refreshing state... [id=0oaf6xyka6aU4LZY4357]
module.okta-apps.data.okta_group.group["Development"]: Read complete after 0s [id=00g231vfu2CYoZKIT357]
module.okta-apps.data.okta_group.group["Infrastructure"]: Read complete after 1s [id=00g7st05wpUYiJ9P2357]
module.okta-apps.data.okta_group.group["Technical Operations"]: Read complete after 1s [id=00g5jffus36ALmtuZ357]
module.okta-apps.okta_app_group_assignments.app["nomad-sec1"]: Refreshing state... [id=0oa9pkxakmuOfVojF357]
module.okta-apps.okta_app_group_assignments.app["consul-sec1"]: Refreshing state... [id=0oaf2ba5qyA4bZ0Cq357]
module.okta-apps.okta_app_group_assignments.app["nomad-aur1"]: Refreshing state... [id=0oadkra34aCEtgcCI357]
module.okta-apps.okta_app_group_assignments.app["backuppc-sec1"]: Refreshing state... [id=0oa8yzaps3F9Be3ei357]
module.okta-apps.okta_app_group_assignments.app["backuppc-aur1"]: Refreshing state... [id=0oaa3m0ebsLzVxGlS357]
module.okta-apps.okta_app_group_assignments.app["consul-aur1"]: Refreshing state... [id=0oaf6xyka6aU4LZY4357]
module.okta-apps.okta_app_group_assignments.app["librenms-sec1"]: Refreshing state... [id=0oa7sqxd8yorkvP0k357]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.okta-apps.okta_app_oauth.app["backuppc-aur1"] will be updated in-place
  ~ resource "okta_app_oauth" "app" {
        id                         = "0oaa3m0ebsLzVxGlS357"
        name                       = "oidc_client"
        # (33 unchanged attributes hidden)

      - groups_claim {
          - filter_type = "REGEX" -> null
          - issuer_mode = "ORG_URL" -> null
          - name        = "groups" -> null
          - type        = "FILTER" -> null
          - value       = ".*" -> null
        }
    }

  # module.okta-apps.okta_app_oauth.app["nomad-sec1"] will be updated in-place
  ~ resource "okta_app_oauth" "app" {
        id                         = "0oa9pkxakmuOfVojF357"
        name                       = "oidc_client"
        # (33 unchanged attributes hidden)

      - groups_claim {
          - filter_type = "REGEX" -> null
          - issuer_mode = "ORG_URL" -> null
          - name        = "groups" -> null
          - type        = "FILTER" -> null
          - value       = ".*" -> null
        }
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.okta-apps.okta_app_oauth.app["backuppc-aur1"]: Modifying... [id=0oaa3m0ebsLzVxGlS357]
module.okta-apps.okta_app_oauth.app["nomad-sec1"]: Modifying... [id=0oa9pkxakmuOfVojF357]
module.okta-apps.okta_app_oauth.app["backuppc-aur1"]: Modifications complete after 1s [id=0oaa3m0ebsLzVxGlS357]
module.okta-apps.okta_app_oauth.app["nomad-sec1"]: Modifications complete after 1s [id=0oa9pkxakmuOfVojF357]

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.
~/git/aws-infra/terraform/production/okta je/fix-okta*                                                                                                                                                                     10s 11:05:12
❯ terraform apply
module.okta-apps.data.okta_group.group["Infrastructure"]: Reading...
module.okta-apps.data.okta_group.group["Development"]: Reading...
module.okta-apps.data.okta_group.group["Network Engineering"]: Reading...
module.okta-apps.data.okta_group.group["Technical Operations"]: Reading...
module.okta-apps.data.okta_group.group["dev-oncall"]: Reading...
module.okta-apps.okta_app_oauth.app["backuppc-aur1"]: Refreshing state... [id=0oaa3m0ebsLzVxGlS357]
module.okta-apps.okta_app_oauth.app["backuppc-sec1"]: Refreshing state... [id=0oa8yzaps3F9Be3ei357]
module.okta-apps.okta_app_oauth.app["nomad-aur1"]: Refreshing state... [id=0oadkra34aCEtgcCI357]
module.okta-apps.okta_app_oauth.app["librenms-sec1"]: Refreshing state... [id=0oa7sqxd8yorkvP0k357]
module.okta-apps.okta_app_oauth.app["consul-sec1"]: Refreshing state... [id=0oaf2ba5qyA4bZ0Cq357]
module.okta-apps.data.okta_group.group["dev-oncall"]: Read complete after 0s [id=00ga71whmz9lDWMWQ357]
module.okta-apps.data.okta_group.group["Network Engineering"]: Read complete after 0s [id=00gaycsyxbygu4E4i357]
module.okta-apps.okta_app_oauth.app["consul-aur1"]: Refreshing state... [id=0oaf6xyka6aU4LZY4357]
module.okta-apps.okta_app_oauth.app["nomad-sec1"]: Refreshing state... [id=0oa9pkxakmuOfVojF357]
module.okta-apps.data.okta_group.group["Technical Operations"]: Read complete after 0s [id=00g5jffus36ALmtuZ357]
module.okta-apps.data.okta_group.group["Development"]: Read complete after 1s [id=00g231vfu2CYoZKIT357]
module.okta-apps.data.okta_group.group["Infrastructure"]: Read complete after 1s [id=00g7st05wpUYiJ9P2357]
module.okta-apps.okta_app_group_assignments.app["backuppc-sec1"]: Refreshing state... [id=0oa8yzaps3F9Be3ei357]
module.okta-apps.okta_app_group_assignments.app["backuppc-aur1"]: Refreshing state... [id=0oaa3m0ebsLzVxGlS357]
module.okta-apps.okta_app_group_assignments.app["nomad-sec1"]: Refreshing state... [id=0oa9pkxakmuOfVojF357]
module.okta-apps.okta_app_group_assignments.app["nomad-aur1"]: Refreshing state... [id=0oadkra34aCEtgcCI357]
module.okta-apps.okta_app_group_assignments.app["consul-sec1"]: Refreshing state... [id=0oaf2ba5qyA4bZ0Cq357]
module.okta-apps.okta_app_group_assignments.app["consul-aur1"]: Refreshing state... [id=0oaf6xyka6aU4LZY4357]
module.okta-apps.okta_app_group_assignments.app["librenms-sec1"]: Refreshing state... [id=0oa7sqxd8yorkvP0k357]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.okta-apps.okta_app_oauth.app["backuppc-aur1"] will be updated in-place
  ~ resource "okta_app_oauth" "app" {
        id                         = "0oaa3m0ebsLzVxGlS357"
        name                       = "oidc_client"
        # (33 unchanged attributes hidden)

      - groups_claim {
          - filter_type = "REGEX" -> null
          - issuer_mode = "ORG_URL" -> null
          - name        = "groups" -> null
          - type        = "FILTER" -> null
          - value       = ".*" -> null
        }
    }

  # module.okta-apps.okta_app_oauth.app["nomad-sec1"] will be updated in-place
  ~ resource "okta_app_oauth" "app" {
        id                         = "0oa9pkxakmuOfVojF357"
        name                       = "oidc_client"
        # (33 unchanged attributes hidden)

      - groups_claim {
          - filter_type = "REGEX" -> null
          - issuer_mode = "ORG_URL" -> null
          - name        = "groups" -> null
          - type        = "FILTER" -> null
          - value       = ".*" -> null
        }
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

• #0000

[exitcode0]

I can't reproduce this via the API, the internal APIs seem to still work as expected
I think these lines may just be returning early if the value has been nulled out, rather than allowing things to proceed and fire the request to null out the attribute

terraform-provider-okta/okta/resource_okta_app_oauth.go

Lines 482 to 485 in 14486f9

	raw, ok := d.GetOk("groups_claim")
	if !ok {
	return nil
	}

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-673377