`okta_resource_set` always detects a change in resources with an ORN path

joshuacollins-deloitte commented 5 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.8.2
on linux_amd64
+ provider registry.terraform.io/okta/okta v4.8.1

Affected Resource(s)

okta_resource_set

Terraform Configuration Files

I've redacted the organisation ID below, but it's reproduceable in every environment I've tried so far. All 3 are classic engine environments.

resource "okta_resource_set" "all_customizations" {
  label = "Brand Customizations"
  description = "Brand Customizations"
  resources = [
    "orn:oktapreview:idp:00xxxxxxxx0h7:customizations"
  ]
}

Expected Behavior

The resource set should be created once and then not appear in the terraform plan until the configuration changes (or drifts on the tenant)

Actual Behavior

Terraform persistently detects that a change is required and attempts to add the resource again on every plan and apply. Subsequent applies still succeed.

  # okta_resource_set.all_customizations will be updated in-place
  ~ resource "okta_resource_set" "all_customizations" {
        id          = "iam22okfx9urzNXZE0h8"
      ~ resources   = [
          + "orn:oktapreview:idp:00xxxxxxxx0h7:customizations",
        ]
        # (2 unchanged attributes hidden)
    }

Steps to Reproduce

Insert config block above to your main.tf
Run terraform plan and terraform apply to create the resource set
Run terraform plan again and see that the resource_set will be updated in the plan

Important Factoids

References

duytiennguyen-okta commented 5 months ago

Hi @joshuacollins-deloitte, how is this issue blocking your flow? We are currently limiting investment in Classic Engine. Are you exploring an update to Identity Engine? This information will help us determine and prioritize the fix as necessary

joshuacollins-deloitte commented 5 months ago

Hi @duytiennguyen-okta, I included the comment about classic engine for context, but after testing today, I can also reproduce the issue in Identity Engine. Not a major blocker, it just ends up looking like config drift is constantly occurring

pro4tlzz commented 5 months ago

Hi @duytiennguyen-okta

We are using Identity Engine and also experiencing this problem.

We're using the ORN because some resources such as Workflows don't have a REST API.

I guess for now we will just have to ignore changes but it would be great to have a fix here.

zacharysfisher commented 4 months ago

We are also using OIE and experiencing this issue. We manage all Resource Sets in Terraform so having a fix here would make not look like we have drift everytime a plan/apply is run.

duytiennguyen-okta commented 4 months ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-735700

exitcode0 commented 2 months ago

@duytiennguyen-okta Could we get some guidance on what needs to change here? I'm happy to raise a PR on for this but I think I need a bit of guidance It looks like this might be happening because we're still using the api supplicant, i'm wondering if changing over to using one of the newer golang SDK's might resolve this?

okta / terraform-provider-okta