okta_resource_set always detects a change in resources with an ORN path

[joshuacollins-deloitte]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.8.2
on linux_amd64
+ provider registry.terraform.io/okta/okta v4.8.1

Affected Resource(s)

• okta_resource_set

Terraform Configuration Files

I've redacted the organisation ID below, but it's reproduceable in every environment I've tried so far. All 3 are classic engine environments.

resource "okta_resource_set" "all_customizations" {
  label = "Brand Customizations"
  description = "Brand Customizations"
  resources = [
    "orn:oktapreview:idp:00xxxxxxxx0h7:customizations"
  ]
}

Expected Behavior

The resource set should be created once and then not appear in the terraform plan until the configuration changes (or drifts on the tenant)

Actual Behavior

Terraform persistently detects that a change is required and attempts to add the resource again on every plan and apply. Subsequent applies still succeed.

  # okta_resource_set.all_customizations will be updated in-place
  ~ resource "okta_resource_set" "all_customizations" {
        id          = "iam22okfx9urzNXZE0h8"
      ~ resources   = [
          + "orn:oktapreview:idp:00xxxxxxxx0h7:customizations",
        ]
        # (2 unchanged attributes hidden)
    }

Steps to Reproduce

1. Insert config block above to your main.tf
2. Run terraform plan and terraform apply to create the resource set
3. Run terraform plan again and see that the resource_set will be updated in the plan

Important Factoids

References

[duytiennguyen-okta]

Hi @joshuacollins-deloitte, how is this issue blocking your flow? We are currently limiting investment in Classic Engine. Are you exploring an update to Identity Engine? This information will help us determine and prioritize the fix as necessary

[joshuacollins-deloitte]

Hi @duytiennguyen-okta, I included the comment about classic engine for context, but after testing today, I can also reproduce the issue in Identity Engine.
Not a major blocker, it just ends up looking like config drift is constantly occurring

[pro4tlzz]

Hi @duytiennguyen-okta

We are using Identity Engine and also experiencing this problem.

We're using the ORN because some resources such as Workflows don't have a REST API.

I guess for now we will just have to ignore changes but it would be great to have a fix here.

[zacharysfisher]

We are also using OIE and experiencing this issue. We manage all Resource Sets in Terraform so having a fix here would make not look like we have drift everytime a plan/apply is run.

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-735700

[exitcode0]

@duytiennguyen-okta
Could we get some guidance on what needs to change here? I'm happy to raise a PR on for this but I think I need a bit of guidance
It looks like this might be happening because we're still using the api supplicant, i'm wondering if changing over to using one of the newer golang SDK's might resolve this?