v4.0.0 release plan

[monde]

I just wanted to give everyone a heads up on our next planned major release, v4.0.0. The release will be focused in this manner:

• CI Release Testing
• Deprecated Resources and Data Sources

Background

Back in June I opened the sticky issue Version v4.0.0 wish list #1183. That is now actually the v5.0.0 wish list.

I'll be working towards this v4.0.0 release in Okta's Q4 (November, December 2022, January 2023). Hopefully the release will occur early in the quarter. The release will be about stability for all of the new improvements we are planning for v5.0.0.

CI Release Testing

The v4.0.0 release will be about making acceptance tests part of our release CI pipeline. Acceptance tests, which run against a live org making API calls over the wire, can take upwards of 40 minutes to run. Having acceptance tests guard a release with pass/fail will give us greater confidence to not release inadvertent bugs. This is a complicated problem to solve for these reasons:

• Some tests are for a Classic org
• Some tests are for an OIE org
• Some tests are for snowflake situations (combinations of Org feature flags)
• Some tests should never run for release CI purposes
• Release CI should be:
  • Fast
  • Not have any tests that fail intermittently / randomly (no flapping tests allowed)

I've spiked using VCR to bring speed and stability to our ACC Tests. This will allow replaying tests for many different kinds of orgs for each resource test. My colleague at Auth0 is using VCR in the Auth0 TF ACC tests as well.

Deprecated Resources and Data Sources

The v4.0.0 release will also be about removing all deprecated arguments/attributes, and all deprecated resources and data sources.

Misnamed resources

These resources had incorrect names and the names were marked deprecated in April of 2019 in one of the v2.x.x releases. The resource's behavior was moved to the established resource name. The deprecated names will no longer be recognized.

deprecated resource name	established resource name
okta_idp	okta_idp_oidc
okta_saml_idp	okta_idp_saml
okta_saml_idp_signing_key	okta_idp_saml_key
okta_social_idp	okta_idp_social
okta_bookmark_app	okta_app_bookmark
okta_saml_app	okta_app_saml
okta_oauth_app	okta_app_oauth
okta_oauth_app_redirect_uri	okta_app_oauth_redirect_uri
okta_auto_login_app	okta_app_auto_login
okta_secure_password_store_app	okta_app_secure_password_store
okta_three_field_app	okta_app_three_field
okta_swa_app	okta_app_swa
okta_password_policy	okta_policy_password
okta_signon_policy	okta_policy_signon
okta_signon_policy_rule	okta_policy_rule_signon
okta_password_policy_rule	okta_policy_rule_password
okta_mfa_policy	okta_policy_mfa
okta_mfa_policy_rule	okta_policy_rule_mfa
okta_app_user_schema	okta_app_user_schema_property
okta_app_user_base_schema	okta_app_user_base_schema_property
okta_user_schema	okta_user_schema_property
okta_user_base_schema	okta_user_base_schema_property

Fully deprecated data sources

These data sources will be completely removed from the provider.

fully deprecated data sources	alternative
okta_default_policy	This data source will be deprecated in favor of okta_default_policy or okta_policy data sources

Fully deprecated resources

These resources will be completely removed from the provider.

fully deprecated resource	alternative
okta_group_membership	Resource okta_group_membership is now deprecated, please use okta_group_memberships or okta_user_group_memberships based on applicable needs
okta_template_email	Resource okta_template_email utilizes a private Okta API whose behavior may change or even removed. Resource okta_template_email has been replaced by resource okta_email_customization which is supported by public Okta API.
okta_group_roles	This resource is deprecated and will be removed in favor of using okta_group_role, please migrate as soon as possible.

Deprecated data source attributes

These attributes are deprecated and will be removed from the listed data sources.

data source	deprecated attribute	alternative
okta_app_oauth	groups	The groups field is now deprecated for the data source okta_app_oauth, please replace all uses of this with: okta_app_group_assignments
okta_app_oauth	users	The users field is now deprecated for the data source okta_app_oauth, please replace all uses of this with: okta_app_user_assignments
okta_app	groups	The groups field is now deprecated for the data source okta_app_oauth, please replace all uses of this with: okta_app_group_assignments
okta_app	users	The users field is now deprecated for the data source okta_app_oauth, please replace all uses of this with: okta_app_user_assignments
okta_app_saml	groups	The groups field is now deprecated for the data source okta_app_oauth, please replace all uses of this with: okta_app_group_assignments
okta_app_saml	users	The users field is now deprecated for the data source okta_app_oauth, please replace all uses of this with: okta_app_user_assignments

Deprecated resource attributes

These attributes are deprecated and will be removed from the listed resources.

resource	deprecated attribute	alternative
okta_domain	verify	The direct validation for the domain resource is deprecated, please use the okta_domain_verification resource for this functionality."
okta_app_oauth	custom_client_id	This field is being replaced by client_id. Please set that field instead
okta_user	admin_roles	The admin_roles field is now deprecated for the resource okta_user, please replace all uses of this with: okta_user_admin_roles
okta_user	group_memberships	The group_memberships field is now deprecated for the resource okta_user, please replace all uses of this with: okta_user_group_memberships
okta_idp_social	match_type	This property was incorrectly added to this resource, you should use subject_match_type
okta_idp_social	match_attribute	This property was incorrectly added to this resource, you should use subject_match_attribute
okta_app_saml	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_saml	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_oauth	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_oauth	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_bookmark	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_bookmark	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_basic_auth	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_basic_auth	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_swa	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_swa	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_auto_login	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_auto_login	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_secure_password_store	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_secure_password_store	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_shared_credentials	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_shared_credentials	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_app_three_field	users	The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality
okta_app_three_field	groups	The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality
okta_policy_rule_idp_discovery	policyid	Because of incorrect naming, policyid field will be deprecated and then removed in the next versions of the provider. Please use policy_id instead
okta_policy_rule_mfa	policyid	Because of incorrect naming, policyid field will be deprecated and then removed in the next versions of the provider. Please use policy_id instead
okta_policy_rule_password	policyid	Because of incorrect naming, policyid field will be deprecated and then removed in the next versions of the provider. Please use policy_id instead
okta_policy_rule_sign_on	policyid	Because of incorrect naming, policyid field will be deprecated and then removed in the next versions of the provider. Please use policy_id instead
okta_idp_saml	acs_binding	This property will be removed in the future, as it can only be set to 'HTTP-POST'
okta_group	users	The users field is now deprecated for the resource okta_group, please replace all uses of this with: okta_group_memberships
okta_auth_server_policy	type	Policy type can only be of value 'OAUTH_AUTHORIZATION_POLICY', so this will be removed in the future, or set as 'Computed' value

[virgofx]

Would love to see a 4.0 cut with all the deprecations gone. We're now haunted by having to add lifecycle rules to ignore changes as despite being deprecated they still query out to the endpoints -- and then we get the dreaded Terraform Warning: Deprecated attribute notices :(

[monde]

We need to have a number of guides in this release.

• Migrating from Classic to OIE
• Migrating from latest v3 to v4
• Migrating outliers on v3.9.0 to latest v3 and/or v4
• Okta TF provider usage/examples geared for experienced operators
• Okta TF provider usage/examples/tutorials geared for operators new to TF in general

[monde]

We should also consider getting rid of artificial input validation at the provider level that the API will do regardless. An example bug #1422

[monde]

Are if isClassicOrg(m) { checks too heavy handed. Should we instead just bubble up the API error and print out a WARNING log message "this is OIE only" ...

[exitcode0]

We should also consider getting rid of artificial input validation at the provider level that the API will do regardless. An example bug #1422

Is it possible to surface the validation from the SDK into terraform without needing to maintain it in two places?
this input validation is valuable if you have long deployment times due to a large okta env stored in a single large terraform backend

[jeremie0]

We should also consider getting rid of artificial input validation at the provider level that the API will do regardless. An example bug #1422

Is it possible to surface the validation from the SDK into terraform without needing to maintain it in two places? this input validation is valuable if you have long deployment times due to a large okta env stored in a single large terraform backend

agree! the more issues we can catch in a terraform validate the better.

[ktham]

Thank you so much for working on the 4.0 release! Just wanted to bring up this question for visibility #1513 (i.e. does #1513's removal of validation logic in favor of API-based validation still ensure that validation happens during "plan" time rather than "apply" time still?) - I ask not that it matters to much where the validation happens, but it does matter to me when they happen, in other words, validation should ideally happen during "plan" time and I hope this is still the case with using API-based validation. (The Datadog TF provider does the same in that they will call the API during plan time to do validation).

[fatbasstard]

Hi, in which PR did skip_groups and skip_users got removed?

I'm getting the An argument named "skip_groups" is not expected here. error now. But never seen a deprecation warning on this. So now my production deployments are broken

Looking for the "how to change my code" approach. If removing this sufficient? So even with the skip option enabled no groups/users are retrieved?

[monde]

@fatbasstard there can be lots of changes in a major release. Probably should pin to the last 3.x.x, there isn't anything net new in 4.0.0 and we are going to be adjusting 4.0.1 with all the immediate feedback like this. cc @duytiennguyen-okta

[fatbasstard]

I'm more surprised/disappointed in the fact that skip_users and skip_groups never were marked as deprecated before being removed.

[Mrorya]

Commenting about the same issue @fatbasstard - A bit awkward to see the attribute removed without any references to this change. What would the way to achieve the same execution on 4.0 be?

[alexathashicorp]

having skip_users and skip_groups disappear also caught me by surprise. I would have expected a lot of yellow warnings so I could clean it up after getting my project into the land of 4.0.

I would love a smoother path forward in 4.0.1; thank you for the hard work fixing things post release.

[bothman231]

Hi, I switched
lifecycle {
ignore_changes = [groups]
}
in
resource { okta_app_oauth
to
ignore_changes = [okta_app_group_assignments]
per the docs at
#1338
but now get..

Error: Unsupported attribute
│
│ on .terraform/modules/okta-object-deployment/main.tf line 43, in resource "okta_app_oauth" "gpi_app_dev":
│ 43: ignore_changes = [okta_app_group_assignments]