`okta_app_group_assignments` cannot find inactive apps by id

lix5686 commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

% terraform -v
Terraform v1.3.9
on darwin_arm64
+ provider registry.terraform.io/okta/okta v3.42.0

Affected Resource(s)

okta_app_group_assignments

Terraform Configuration Files

data "okta_group" "everyone" {
  name = "Everyone"
}

resource "okta_app_bookmark" "example" {
  for_each = toset(["example"])
  status = "INACTIVE"
  label  = "Example"
  url    = "https://example.com"
}

resource "okta_app_group_assignments" "example_group_assignment" {
  for_each = okta_app_bookmark.example

  app_id = each.value.id
  group {
    id = data.okta_group.everyone.id
  }
}

Panic Output

╷
│ Error: failed to create application group assignment: the API returned an error: Not found: Resource not found: 0oa7g2kg9bEhDbqj91d7 (AppInstance)
│ 
│   with module.etsy_app_bookmarks.okta_app_group_assignments.example_group_assignment["example"],
│   on ../modules/bookmarks/main.tf line 11, in resource "okta_app_group_assignments" "example_group_assignment":
│   45: resource "okta_app_group_assignments" "example_group_assignment" {
│ 
╵

Expected Behavior

I'd expect that the group assignment successfully finds the app by id since the app exists (see the screenshot below) and assign to the group to the app Screenshot 2023-03-23 at 1 33 20 PM

Can this be done in the Admin UI?

No, it seems that I cannot assign groups to an inactive app either.

Can this be done in the actual API call?

I don't know.

Actual Behavior

Fails to find the app and unable to assign the group to the app. I posted an example for bookmark app for simplicity but this also happens with oauth or saml apps as well.

Steps to Reproduce

terraform apply

Important Factoids

References

0000

monde commented 1 year ago

Thanks @lix5686 . I suspect Okta API does not allow a group to be assigned to an inactive app, will have to investigate. If API is not in parity with Admin UI we'll have to file a bug/enhancement on the responsible feature team at Okta.

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-594730

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

lix5686 commented 1 year ago

@monde could you keep it open to track the issue? thank you

adantop commented 1 year ago

Not stale

monde commented 11 months ago

Some findings from #1465 - commend https://github.com/okta/terraform-provider-okta/issues/1465#issuecomment-1799392065

@duytiennguyen-okta and I looked at this some more. We think there is a flaw in the way all the apps do update. If you are using TF to disable an app then any other updates in the same apply are invalid for that update. Okta treats deactivated apps as a soft delete, once deactivated, the operator can no longer make associations to that app or update it's attributes. The only action or change that can be taken on an deactivated app is activate it or delete it. I'm going to update all the apps behavior to be more precise about this. And also update our docs.

@lix5686 @adantop I think this issue is expected behavior, assignments can not be made with a deactivated app. I'm going to close this issue.

okta / terraform-provider-okta