okta_policy datasource fails with 3.40.0 Error: "okta_app_signon_policy" is a resource for OIE Orgs only

[kouk]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

❯ terraform -v
Terraform v1.3.7
on darwin_amd64
+ provider registry.terraform.io/okta/okta v3.40.0

Affected Resource(s)

• data.okta_policy

Terraform Configuration Files

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "3.40.0"
    }
  }
}

provider "okta" {
  org_name = "REDACTED"
  base_url = "okta.com"
}

data "okta_policy" "default_idp_policy" {
  name = "Idp Discovery Policy"
  type = "IDP_DISCOVERY"
}

Debug Output

https://gist.github.com/kouk/71f1e8951d2f201cd69164f2e0ec080d

Panic Output

n/a

Expected Behavior

The IDP_DISCOVERY policy isn't restricted to OIE orgs, so this should not error out but instead fetch the policy details. E.g. in previous version of the provider 3.39.0:

❯ terraform plan
data.okta_policy.default_idp_policy: Reading...
data.okta_policy.default_idp_policy: Read complete after 1s [id=00p10u0y79BXH6JzY4x7]

No changes. Your infrastructure matches the configuration.

Actual Behavior

❯ terraform plan
data.okta_policy.default_idp_policy: Reading...
╷
│ Error: "okta_app_signon_policy" is a resource for OIE Orgs only, see https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_signon_policy
│
│   with data.okta_policy.default_idp_policy,
│   on test.tf line 15, in data "okta_policy" "default_idp_policy":
│   15: data "okta_policy" "default_idp_policy" {
│
╵

Steps to Reproduce

1. terraform plan

Important Factoids

The org is a classic org.

References

Possible change that introduced the problem:
https://github.com/okta/terraform-provider-okta/pull/1412/files

• #0000

[monde]

At internal triage we discussed getting rid of these checks in the TF provider if isClassicOrg(m) { and just bubbling the API error up to the operator and also have an WARNING log entry.

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-567054

[CodyDunlap]

I'm having this same issue after upgrading from the Okta TF Provider version 3.15 -> 3.41. I have had the following configuration working for about 2 years on Classic Engine. I'm confused as to why all of a sudden it's breaking with an error indicating a completely different resource is only available on Identity Engine.

Configuration

data "okta_policy" "idp_discovery_policy" {
  name = "Idp Discovery Policy"
  type = "IDP_DISCOVERY"
}

resource "okta_policy_rule_idp_discovery" "azure_idp_discovery" {
  policy_id          = data.okta_policy.idp_discovery_policy.id
  name               = "Azure IdP"
  idp_id              = okta_idp_saml.azure_active_directory_saml.id
  idp_type          = "SAML2"
}

Error

Error: "okta_app_signon_policy" is a resource for OIE Orgs only, see https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_signon_policy

  with data.okta_policy.idp_discovery_policy,
  on idp_saml.tf line 26, in data "okta_policy" "idp_discovery_policy":
  26: data "okta_policy" "idp_discovery_policy" {

[monde]

@CodyDunlap the fix the bug you are seeing is in #1445 will be released later today as v3.42.0

[CodyDunlap]

Great! Thanks!

[monde]

Fix released in https://github.com/okta/terraform-provider-okta/releases/tag/v3.42.0