UnPlanned changes - `okta_app*` - unexpected `authentication_policy`

exitcode0 commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Affected Resource(s)

okta_app*

Terraform Configuration Files

resource "okta_app_bookmark" "example" {
  label  = "Example"
  url    = "https://example.com"
}

Expected Behavior

Terraform Plan should outline all changes that would result from executing Terraform Apply

Actual Behavior

When the upstream API chooses default behavior we don't expose this in the Terraform Plan

In this case the existing well known behavior is that omitting authentication_policy on okta_app* resources results in the default authentication policy being used This can unexpectedly replace a authentication policy that was click-ops provisioned to an application

I believe this has something to do with this API not supporting partial updates and assuming that an omitted value is equivalent to a null value

Steps to Reproduce

terraform apply
Click-Ops change Auth Policy
terraform apply
Auth Policy has now changed in a way that was not visible to IAC

Important Factoids

Most of our engineers expect that Terraform Plan will outline all changes that would result from executing Terraform Apply When this contract is broken, it understandably catches most engineers unaware and can cause outages

One of the benefits of Terraform is that it can be rolled out gradually because it does not attempt to modify resources that are not under management But in this case this is being undermined by default behaviors in the upstream API

Some ideas below for paths forward to more intuitive behavior Things within Okta Terraform's control

Surface what will happen in the Terraform plan by manually constructing plan info (not sure if this is possible)
Require the attribute on okta_app* resources
- support "default" as a string
- require using the ID from a Data Source

Things outside the Okta TF provider's control

Raise an issue upstream team that owns the API
- support partial updates on the API in question (all fields)
- leave authentication policy unchanged if it was omitted
- question why omitted is treated as equivalent to null (requiring explicit null-ish values on endpoints that don't support partial updates seems like less of a footgun imo)

duytiennguyen-okta commented 11 months ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-669839

duytiennguyen-okta commented 5 months ago

@exitcode0. I'm trying to understand what you're trying to fix. If your goals is just to surface the change of authentication_policy in terraform, then PR #1993 should also fixed that. Is there anything else you're trying to do?

exitcode0 commented 5 months ago

This is an old issue so my memory of it is vague It seems that I was concerned that the default behaviour of the upstream APIs is not properly surfaced in the provider This would be exceedingly difficult to address based on my current understanding, so not sure if this one is worth spending much thought on

okta / terraform-provider-okta