okta_app_access_policy_assignment cannot be used with apps of sign-on mode "AWS IAM Role"

[sfrancis-splunk]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

• Terraform 1.7.4
• okta/okta v4.11.0
• hashicorp/aws v5.20.1

Affected Resource(s)

• okta_app_access_policy_assignment

Terraform Configuration Files

data "okta_app" "aws_govcloudtest1" {
  #label = "AWS: GovCloudTest1"
  id = "<id-of-AWS-okta-app>"
}

resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign" {
  app_id    = data.okta_app.aws_govcloudtest1.id
  policy_id = okta_app_signon_policy.any-two-factors.id
}

resource "okta_app_signon_policy" "any-two-factors" {
    name = "Any two factors"
    description = "Require two factors to access."
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

The resource should have been created linking the app access policy to the app specified in the data resource. The app specified is an amazon_aws app with the Sign On tab set to "AWS IAM Role" ("signOnMode": "AWS_IAM_ROLE" in app JSON output)

Can this be done in the Admin UI?

Yes, this is our workaround at present.

Can this be done in the actual API call?

Yes: there are no requirements in the App API docs for specific signOnMode types with linking access policies.

Actual Behavior

terraform plan reports that the resource will be created:

Terraform will perform the following actions:
# module.app_policy_module.okta_app_access_policy_assignment.aws_govcloudtest1_assign will be created
+ resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign" {
    + app_id    = "<id-of-aws-app>"
    + id        = (known after apply)
    + policy_id = "<id-of-policy>"
  }

terraform apply fails with:

│ Error: issue with inner app response
│ 
│   with module.app_policy_module.okta_app_access_policy_assignment.aws_govcloudtest1_assign,
│   on modules/app-policy/aws_govcloudtest1_assign.tf line 2, in resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign":
│    2: resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign" {
│ 
│ okta list applications response does not contain a concrete app

Steps to Reproduce

1. terraform plan
2. terraform apply

Important Factoids

The error seems to stem from resource_okta_app_access_policy_assignment.go : concreteAppID only iterates through the main Okta SDK application types.

It's understandable that the SDK wouldn't support OIN-specific apps but since there is nothing in the Okta API preventing linking an access policy to an OIN app this feels like a bug.

References

• #0000