okta_profile_mapping not destroyable

[keks42]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.5.7

Affected Resource(s)

• okta_profile_mapping

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

# -------- Okta provided stuff ----------
data "okta_policy" "idp_discovery_policy" {
  name = "Idp Discovery Policy"
  type = "IDP_DISCOVERY"
}

data "okta_user_profile_mapping_source" "user" {
  depends_on = [okta_idp_saml.entra_id]
}


# -------- Actual IDP Configuration ----------
resource "okta_idp_saml" "entra_id" {
  issuer            = "https://sts.windows.net/whatever"
  kid               = okta_idp_saml_key.entra_id_certificate.id
  name              = "Entra ID"
  sso_destination   = "https://login.microsoftonline.com/whatever"
  sso_url           = "https://login.microsoftonline.com/whatever"
  username_template = "idpuser.subjectNameId"
}

resource "okta_idp_saml_key" "entra_id_certificate" {
  x5c = [
    "MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5p\nYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMM\nB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCB\njzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9r\ndGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29t\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTf\nn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4\nwWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8s\nDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/\nDwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/I\nYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93s\nDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo\n1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9"
  ]
}

## How are users from EntraID identified as the same user in Okta?
resource "okta_policy_rule_idp_discovery" "entra_id_user_identification" {
  name                 = "Azure AD"
  idp_type             = "SAML2"
  idp_id               = okta_idp_saml.entra_id.id
  user_identifier_type = "IDENTIFIER"
  policy_id            = data.okta_policy.idp_discovery_policy.id
  user_identifier_patterns {
    match_type = "SUFFIX"
    value      = "some.example.com"
  }
  depends_on = [okta_idp_saml.entra_id]
}


# -------- User Profile Mapping ----------
## Custom attributes
resource "okta_app_user_schema_property" "loginname" {
  app_id        = okta_idp_saml.entra_id.id
  index         = "loginname"
  title         = "Entra ID Loginname"
  type          = "string"
  external_name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}

## Actual mapping
resource "okta_profile_mapping" "example" {
  source_id          = okta_idp_saml.entra_id.id
  target_id          = data.okta_user_profile_mapping_source.user.id
  delete_when_absent = true

  mappings {
    id         = "login"
    expression = "appuser.${okta_app_user_schema_property.loginname.index}"
  }
}

Debug Output

Panic Output

Expected Behavior

Terraform should be able to destroy the resources that it just created.

Can this be done in the Admin UI?

Partly. When deleting the whole IDP in the Admin UI, the profile mapping is also deleted.

Can this be done in the actual API call?

I don't know.

Actual Behavior

Executed commands:

terraform init
terraform plan -var-file=vars.tfvars -out okta.tfplan
terraform apply okta.tfplan
terraform destroy -var-file=vars.tfvars 

The vars.tfvars file contains only the required variables (org_name / base_url / api_token).

Terraform successfully creates all the resources, but is not able to destroy the freshly created resources. The following error appears:

│ Error: failed to delete application user schema property: the API returned an error: Api validation failed: updateAppUserSchemas. Causes: errorSummary: Property loginname cannot be deleted. It is used to populate user.login.
│ 

Steps to Reproduce

See above.

Important Factoids

References

• #0000

[monde]

I would call this a bug because as noted, the TF provider doesn't exhibit quite the same behavior as the Admin UI (even though the TF provider is not the Admin UI and interacts with Okta through the management API).

#2185