okta_app_group_assignments: failed to delete group assignment: Resource not found

joshgch commented 8 months ago

When looping through okta_app_group_assignments with a dynamic block, and deleting an okta_group at the same time, I find that the Okta Group gets deleted before attempting to then delete the assignment. This produces an error because when the group is deleted, it is already removed from the assignment.

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.6.6

Affected Resource(s)

okta_app_group_assignments

Terraform Configuration Files

locals {
  app_groups = [
    "tf-test-group-1",
    "tf-test-group-2",
  ]
}

resource "okta_group" "app_groups" {
  for_each = toset(local.app_groups)

  name        = each.key
}

resource "okta_app_group_assignments" "aws" {
  app_id = "REDACTED"

  dynamic "group" {
    for_each = okta_group.app_groups

    content {
      id       = group.value.id
      priority = index(local.app_groups, group.key)
    }
  }
}

Error Output

okta_group.app_groups["tf-test-group-2"]: Destroying... [id=REDACTED]
okta_group.app_groups["tf-test-group-2"]: Destruction complete after 0s
okta_app_group_assignments.aws: Modifying... [id=REDACTED]
╷
│ Error: failed to delete group assignment: could not delete assignment for group REDACTED, to application REDACTED: the API returned an error: Not found: Resource not found: REDACTEDREDACTED (GroupAppAssignment)
│ 
│   with okta_app_group_assignments.aws,
│   on main.tf line 29, in resource "okta_app_group_assignments" "aws":
│   29: resource "okta_app_group_assignments" "aws" {
│ 
╵
Operation failed: failed running terraform apply (exit 1)

Expected Behavior

okta_app_group_assignments should either unassign the group before deleting it or handle the deletion gracefully

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

Yes

Actual Behavior

It seems that the Okta provider tries to

Steps to Reproduce

terraform apply with the sample code
Remove one of the groups from the app_groups local and apply again
Error should occur

joshgch commented 8 months ago

I tested this same issue with provider version 4.0.0 and it does not have this error.

joshgch commented 8 months ago

Update: This issue is introduced with version 4.6.0. Version 4.5.0 works fine.

duytiennguyen-okta commented 8 months ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-690461

okta / terraform-provider-okta