os_expression is not working as expected when a okta_app_signon_policy_rule resource is imported with os_type = "OTHER"

[rajnadimpalli]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Affected Resource(s)

• okta_app_signon_policy_rule

Issue summary

When an authentication policy rule is created via Okta admin console with OS_TYPE = "OTHER" and the resource okta_app_signon_policy_rule is imported using terraform import, the exported resource has os_expression set to "".
When running a terraform apply , it fails because os_expression doesn't accept "" value.

Please see error below:
Error: failed to create app sign on policy rule: the API returned an error: Api validation failed: conditions.platform. Causes: errorSummary: conditions.platform: The condition 'platform' must have os.expression if os.type is OTHER.

Terraform Configuration Files

resource "okta_app_signon_policy_rule" "dummy_rule3" {
  access                      = "ALLOW"
  constraints                 = ["{\"knowledge\":{\"reauthenticateIn\":\"PT0S\",\"types\":[\"password\"],\"required\":true},\"possession\":{\"excludedAuthenticationMethods\":[{\"key\":\"okta_email\",\"method\":\"email\"},{\"key\":\"phone_number\",\"method\":\"sms\"},{\"key\":\"phone_number\",\"method\":\"voice\"}],\"required\":false,\"userPresence\":\"REQUIRED\",\"userVerification\":\"OPTIONAL\"}}"]
  custom_expression           = null
  device_assurances_included  = null
  device_is_managed           = null
  device_is_registered        = null
  factor_mode                 = "2FA"
  groups_excluded             = null
  groups_included             = null
  inactivity_period           = null
  name                        = "dummy_rule3"
  network_connection          = "ANYWHERE"
  network_excludes            = null
  network_includes            = null
  policy_id                   = "rsti8tic6iInxjVd71d7"
  priority                    = 0
  re_authentication_frequency = "PT0S"
  risk_score                  = "ANY"
  status                      = "ACTIVE"
  type                        = "ASSURANCE"
  user_types_excluded         = []
  user_types_included         = []
  users_excluded              = []
  users_included              = []
  platform_include {
    os_expression = ""
    os_type       = "OTHER"
    type          = "DESKTOP"
  }
}

Steps to Reproduce

1. Create an authentication policy rule via Okta admin console with os_type = "OTHER"
2. Import the authentication policy rule to terraform
3. Run terraform plan

When an authentication policy rule is created with os_type = "OTHER" and it is retrieved via API, notice that os_expression = "", however terraform resource doesn't accept the same value.

References

• #0000

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-832971