Fixed several bugs (#542)

okta/resource_okta_app_oauth.go

@@ -197,7 +197,7 @@ func resourceAppOAuth() *schema.Resource {
 			"wildcard_redirect": {
 				Type:             schema.TypeString,
 				Optional:         true,
-				Description:      "Indicates if the client is allowed to use wildcard matching of redirect_uris",
+				Description:      "*Early Access Property*. Indicates if the client is allowed to use wildcard matching of redirect_uris",
 				Default:          "DISABLED",
 				ValidateDiagFunc: elemInSlice([]string{"DISABLED", "SUBDOMAIN"}),
 			},
@@ -464,7 +464,9 @@ func resourceAppOAuthRead(ctx context.Context, d *schema.ResourceData, m interfa
 	_ = d.Set("tos_uri", app.Settings.OauthClient.TosUri)
 	_ = d.Set("policy_uri", app.Settings.OauthClient.PolicyUri)
 	_ = d.Set("login_uri", app.Settings.OauthClient.InitiateLoginUri)
-	_ = d.Set("wildcard_redirect", app.Settings.OauthClient.WildcardRedirect)
+	if app.Settings.OauthClient.WildcardRedirect != "" {
+		_ = d.Set("wildcard_redirect", app.Settings.OauthClient.WildcardRedirect)
+	}
 	_ = d.Set("auto_submit_toolbar", app.Visibility.AutoSubmitToolbar)
 	_ = d.Set("hide_ios", app.Visibility.Hide.IOS)
 	_ = d.Set("hide_web", app.Visibility.Hide.Web)

okta/resource_okta_group.go

@@ -105,6 +105,10 @@ func resourceGroupDelete(ctx context.Context, d *schema.ResourceData, m interfac
 }
 
 func syncGroupUsers(ctx context.Context, d *schema.ResourceData, m interface{}) error {
+	// Only sync when the user opts in by outlining users in the group config
+	if _, exists := d.GetOk("users"); !exists {
+		return nil
+	}
 	userIDList, err := listGroupUserIDs(ctx, m, d.Id())
 	if err != nil {
 		return err

okta/resource_okta_policy_rule_sign_on.go

@@ -160,7 +160,9 @@ func resourcePolicySignOnRuleRead(ctx context.Context, d *schema.ResourceData, m
 	if rule.Actions.SignOn.FactorPromptMode != "" {
 		_ = d.Set("mfa_prompt", rule.Actions.SignOn.FactorPromptMode)
 	}
-	_ = d.Set("risc_level", rule.Conditions.RiskScore.Level)
+	if rule.Conditions != nil && rule.Conditions.RiskScore != nil {
+		_ = d.Set("risc_level", rule.Conditions.RiskScore.Level)
+	}
 	err = setNonPrimitives(d, map[string]interface{}{
 		"behaviors": convertStringSetToInterface(rule.Conditions.Risk.Behaviors),
 	})

okta/user_schema.go

@@ -199,8 +199,6 @@ func syncBaseUserSchema(d *schema.ResourceData, subschema *sdk.UserSubSchema) {
 	}
 	if len(subschema.Permissions) > 0 {
 		_ = d.Set("permissions", subschema.Permissions[0].Action)
-	} else {
-		_ = d.Set("permissions", "")
 	}
 	if subschema.Pattern != nil {
 		_ = d.Set("pattern", &subschema.Pattern)

website/docs/r/app_oauth.html.markdown

@@ -75,7 +75,7 @@ The following arguments are supported:
 
 - `redirect_uris` - (Optional) List of URIs for use in the redirect-based flow. This is required for all application types except service.
 
-- `wildcard_redirect` - (Optional) Indicates if the client is allowed to use wildcard matching of `redirect_uris`. Valid values: `"DISABLED"`, `"SUBDOMAIN"`. Default value is `"DISABLED"`.
+- `wildcard_redirect` - (Optional) *Early Access Property*. Indicates if the client is allowed to use wildcard matching of `redirect_uris`. Valid values: `"DISABLED"`, `"SUBDOMAIN"`. Default value is `"DISABLED"`.
 
 - `post_logout_redirect_uris` - (Optional) List of URIs for redirection after logout.