okta_app_group_assignments for SAML apps updates (Optional) profile values

[elena-rico]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Optional values for profile attribute are set to null on each tf plan, tf apply in okta_app_group_assignments for SAML apps.
This behaviour persist even if profile is set to json({})
This behaviour seems to be related to the issue fixed in v3.13.13 but in this case for JSON body of the profile attribute

Terraform Version

Terraform v1.0.6
on darwin_amd64

• provider registry.terraform.io/okta/okta v3.13.13

Affected Resource(s)

• okta_app_group_assignments

Terraform Configuration Files

resource "okta_app_group_assignments" "my_app_group_assignments" {
  provider = okta.corporate_okta
  app_id   = okta_app_saml.my_saml_app.id

  dynamic "group" {
    for_each = data.okta_group.corporate_okta_my_saml_app_groups
    content {
      id = group.value.id
    }
  }
}

resource "okta_app_saml" "my_saml_app" {
  provider    = okta.my_provider
  label       = data.okta_app_saml.my_saml_app.label
  hide_ios    = true
  hide_web    = true
  skip_users  = true
  skip_groups = true
  features = [
    "GROUP_PUSH",
    "IMPORT_NEW_USERS",
    "IMPORT_PROFILE_UPDATES",
    "IMPORT_USER_SCHEMA",
    "PUSH_NEW_USERS",
    "PUSH_USER_DEACTIVATION",
    "REACTIVATE_USERS",
  ]
  app_settings_json = <<JSON
{
  "acsUrl": "url",
  "audRestriction": "restriction",
  "baseUrl": "baseURL"
}
JSON

  lifecycle {
    prevent_destroy = true
    ignore_changes = [
      users,
      groups,
      key_years_valid,
      auto_submit_toolbar
    ]
  }
}

Debug Output

Panic Output

Expected Behavior

tf plan and tf apply should not make any changes when profile attributes are not provided.

Actual Behavior

  # okta_app_group_assignments.my_app_group_assignments will be updated in-place
  ~ resource "okta_app_group_assignments" "my_app_group_assignments" {
        id     = "<id>"
        # (1 unchanged attribute hidden)

      ~ group {
            id       = "<id>"
          ~ profile  = jsonencode(
              ~ {
                  - department              = null -> null
                  - division                = null -> null
                  - initialStatus           = null -> null
                  - locale                  = null -> null
                  - manager                 = null -> null
                  - managerId               = null -> null
                  - organization            = null -> null
                  - preferredLanguage       = null -> null
                  - securityAnswer          = null -> null
                  - securityQuestion        = null -> null
                  - timezone                = null -> null
                  - userType                = null -> null
                }
            )
            # (1 unchanged attribute hidden)
        }
    }

Steps to Reproduce

1. terraform plan
2. terraform apply
3. terraform plan

Important Factoids

References

• #0000

[bogdanprodan-okta]

Hi, @elena-rico! Sorry for the late response. I'm currently looking into this issue and hopefully will include the fix in the next release. Cheers!

[elena-rico]

Excellent! Thank you @bogdanprodan-okta

[bogdanprodan-okta]

@elena-rico so the behavior will be as follows:

• terraform will skip profile fields that are set to null.
• if the profile field is set outside the terraform, it will show the diff like this:

 group {
            id       = "00g11yriix0SgmEbn0h8"
          ~ profile  = jsonencode(
              ~ {
                  - testAcc_replace_with_uuid_2 = "L" -> null
                }
            )
            # (1 unchanged attribute hidden)
        }