add support for catch_all = deny

Signed-off-by: Tien Nguyen <duytien.nguyen@okta.com>

docs/resources/app_signon_policy.md

@@ -92,9 +92,14 @@ resource "okta_app_signon_policy_rule" "some_rule" {
 - `description` (String) Description of the policy.
 - `name` (String) Name of the policy.
 
+### Optional
+
+- `catch_all` (Boolean) Default rules of the policy set to `DENY` or not. If `false`, it is set to `DENY`. **WARNING** setting this attribute to false change the OKTA default behavior. Use at your own risk. This is only apply during creation, so import or update will not work
+
 ### Read-Only
 
-- `id` (String) The ID of this resource.
+- `default_rule_id` (String) Default rules id of the policy
+- `id` (String) Policy id
 
 ## Import
 

examples/resources/okta_app_signon_policy_rule/basic_updated.tf

@@ -145,18 +145,21 @@ resource "okta_app_signon_policy_rule" "test" {
     jsonencode({
       "knowledge" : {
         "reauthenticateIn" : "PT2H",
-        "types" : ["password"]
+        "types" : ["password"],
+        "required" : false
       },
       "possession" : {
-        "deviceBound" : "REQUIRED"
+        "deviceBound" : "REQUIRED",
+        "required" : false
       }
     }),
     jsonencode({
       "possession" : {
         "deviceBound" : "REQUIRED",
         "hardwareProtection" : "REQUIRED",
         "userPresence" : "OPTIONAL",
-        "userVerification" : "OPTIONAL"
+        "userVerification" : "OPTIONAL",
+        "required" : false
       }
     })
   ]

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/lestrrat-go/jwx v1.2.29
 	github.com/okta/okta-sdk-golang/v4 v4.1.2
-	github.com/okta/okta-sdk-golang/v5 v5.0.2
+	github.com/okta/okta-sdk-golang/v5 v5.0.4
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/stretchr/testify v1.9.0
 	gopkg.in/dnaeon/go-vcr.v3 v3.1.2

go.sum

@@ -213,8 +213,8 @@ github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
 github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
 github.com/okta/okta-sdk-golang/v4 v4.1.2 h1:gSycAYWGrvYeXBW8HakMZnNu/ptMuTvTQ/zZ7lgmtPI=
 github.com/okta/okta-sdk-golang/v4 v4.1.2/go.mod h1:01oiHDXvZQHlZo1Uw084VDYwXIqJe19z34b53PBZpUY=
-github.com/okta/okta-sdk-golang/v5 v5.0.2 h1:eecvycE/XDX56IWTsOVhqfj5txCgqryTXzKy7wKEq78=
-github.com/okta/okta-sdk-golang/v5 v5.0.2/go.mod h1:T/vmECtJX33YPZSVD+sorebd8LLhe38Bi/VrFTjgVX0=
+github.com/okta/okta-sdk-golang/v5 v5.0.4 h1:HDq1L+3vECjTZRPmsRYxgeWOGRuaxk1+tdRkdscAeLQ=
+github.com/okta/okta-sdk-golang/v5 v5.0.4/go.mod h1:T/vmECtJX33YPZSVD+sorebd8LLhe38Bi/VrFTjgVX0=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=

okta/data_source_okta_apps.go

@@ -66,6 +66,7 @@ type OktaApp interface {
 	GetSignOnMode() string
 	GetFeatures() []string
 	GetVisibility() okta.ApplicationVisibility
+	GetLinks() okta.ApplicationLinks
 }
 
 func (d *AppsDataSource) Metadata(ctx context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {

okta/data_source_okta_device_assurance_policy.go

@@ -56,7 +56,6 @@ func (d *deviceAssurancePolicyDataSource) Schema(ctx context.Context, req dataso
 	resp.Schema = schema.Schema{
 		Description: "Get a policy assurance from Okta.",
 		Attributes: map[string]schema.Attribute{
-			// TODU
 			"id": schema.StringAttribute{
 				Description: "ID of the user type to retrieve, conflicts with `name`.",
 				Optional:    true,

okta/framework_provider.go

@@ -2,19 +2,22 @@ package okta
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-framework-validators/int64validator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/setvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/provider"
 	"github.com/hashicorp/terraform-plugin-framework/provider/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/tfsdk"
 	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/okta/okta-sdk-golang/v5/okta"
 )
 
 // Ensure the implementation satisfies the expected interfaces.
@@ -271,7 +274,8 @@ func (p *FrameworkProvider) Resources(_ context.Context) []func() resource.Resou
 		NewPolicyDeviceAssuranceWindowsResource,
 		NewCustomizedSigninResource,
 		NewPreviewSigninResource,
-		GroupOwnerResource,
+		NewGroupOwnerResource,
+		NewAppSignOnPolicyResource,
 	}
 }
 
@@ -308,3 +312,80 @@ func resourceConfiguration(req resource.ConfigureRequest, resp *resource.Configu
 
 	return p
 }
+
+func frameworkResourceOIEOnlyFeatureError(name string) diag.Diagnostics {
+	return frameworkOIEOnlyFeatureError("resources", name)
+}
+
+func frameworkOIEOnlyFeatureError(kind, name string) diag.Diagnostics {
+	url := fmt.Sprintf("https://registry.terraform.io/providers/okta/okta/latest/docs/%s/%s", kind, string(name[5:]))
+	if kind == "resources" {
+		kind = "resource"
+	}
+	if kind == "data-sources" {
+		kind = "datasource"
+	}
+	var diags diag.Diagnostics
+	diags.AddError(fmt.Sprintf("%q is a %s for OIE Orgs only", name, kind), fmt.Sprintf(", see %s", url))
+	return diags
+}
+
+func frameworkIsClassicOrg(ctx context.Context, config *Config) bool {
+	return config.IsClassicOrg(ctx)
+}
+
+func frameworkFindDefaultAccessPolicy(ctx context.Context, config *Config) (okta.ListPolicies200ResponseInner, error) {
+	if frameworkIsClassicOrg(ctx, config) {
+		return okta.ListPolicies200ResponseInner{}, nil
+	}
+	policies, err := framworkFindSystemPolicyByType(ctx, config, "ACCESS_POLICY")
+	if err != nil {
+		return okta.ListPolicies200ResponseInner{}, fmt.Errorf("error finding default ACCESS_POLICY %+v", err)
+	}
+	if len(policies) != 1 {
+		return okta.ListPolicies200ResponseInner{}, errors.New("cannot find default ACCESS_POLICY policy")
+	}
+	return policies[0], nil
+}
+
+type OktaPolicy interface {
+	GetId() string
+	GetSystem() bool
+}
+
+func framworkFindSystemPolicyByType(ctx context.Context, config *Config, _type string) ([]okta.ListPolicies200ResponseInner, error) {
+	res := []okta.ListPolicies200ResponseInner{}
+	policies, _, err := config.oktaSDKClientV5.PolicyAPI.ListPolicies(ctx).Type_(_type).Execute()
+	if err != nil {
+		return nil, err
+	}
+	for _, p := range policies {
+		policy := p.GetActualInstance().(OktaPolicy)
+		if policy.GetSystem() {
+			res = append(res, p)
+		}
+	}
+
+	return res, nil
+}
+
+func frameworkListApps(ctx context.Context, config *Config, filters *appFilters, limit int64) ([]okta.ListApplications200ResponseInner, error) {
+	req := config.oktaSDKClientV5.ApplicationAPI.ListApplications(ctx).Limit(int32(limit))
+	if filters != nil {
+		req = req.Filter(filters.Status)
+		req = req.Q(filters.getQ())
+	}
+	apps, resp, err := req.Execute()
+	if err != nil {
+		return nil, err
+	}
+	for resp.HasNextPage() {
+		var nextApps []okta.ListApplications200ResponseInner
+		resp, err = resp.Next(&nextApps)
+		if err != nil {
+			return nil, err
+		}
+		apps = append(apps, nextApps...)
+	}
+	return apps, nil
+}

okta/provider.go

@@ -257,7 +257,6 @@ func Provider() *schema.Provider {
 			appSamlAppSettings:            resourceAppSamlAppSettings(),
 			appSecurePasswordStore:        resourceAppSecurePasswordStore(),
 			appSharedCredentials:          resourceAppSharedCredentials(),
-			appSignOnPolicy:               resourceAppSignOnPolicy(),
 			appSignOnPolicyRule:           resourceAppSignOnPolicyRule(),
 			appSwa:                        resourceAppSwa(),
 			appThreeField:                 resourceAppThreeField(),