Resource state cannot be updated with WARN A managed resource "source" "login" has not been declared in the root module.

[eigokor]

Hi, I am trying to provision Oauth app with following config

apiVersion: app.okta.upbound.io/v1alpha1
kind: Oauth
metadata:
  name: test-env-100-ttl4
spec:
  forProvider:
    label: "test-env-100-ttl4"
    type: "browser"
    grantTypes:
      - authorization_code
    redirectUris:
      - "https://test-env-100-ttl4.my.org.engineering/homepage/login/callback"
    postLogoutRedirectUris:
      - "https://test-env-100-ttl4.my.org.engineering/homepage/"
    loginUri: "https://est-env-100-ttl4.my.org.engineering"
    loginMode: "DISABLED"
    responseTypes:
      - code
    tokenEndpointAuthMethod: "none"
    issuerMode: "ORG_URL"
    pkceRequired: true
    autoKeyRotation: true
    consentMethod: "TRUSTED"
    clientId: dg123e4dq234gr43edq4f

On octa side application is created, below okta API GET application output:

{
  "id": "0oa267uti7vG4Jn0A0h8",
  "orn": null,
  "name": "oidc_client",
  "label": "test-env-100-ttl4",
  "status": "ACTIVE",
  "lastUpdated": "2024-08-23T06:45:56.000Z",
  "created": "2024-08-23T06:45:56.000Z",
  "accessibility": {
    "selfService": false,
    "errorRedirectUrl": null,
    "loginRedirectUrl": null
  },
  "visibility": {
    "autoLaunch": false,
    "autoSubmitToolbar": false,
    "hide": {
      "iOS": true,
      "web": true
    },
    "appLinks": {
      "oidc_client_link": true
    }
  },
  "features": [],
  "signOnMode": "OPENID_CONNECT",
  "credentials": {
    "userNameTemplate": {
      "template": "${source.login}",
      "type": "BUILT_IN"
    },
    "signing": {
      "kid": "RiBI46Rz2BNYbbM_ntq2pOrZk5xYyFawKgf7OVLYzXvE"
    },
    "oauthClient": {
      "autoKeyRotation": true,
      "client_id": "random",
      "token_endpoint_auth_method": "none",
      "pkce_required": true
    }
  },
  "settings": {
    "app": {},
    "notifications": {
      "vpn": {
        "network": {
          "connection": "DISABLED"
        },
        "message": null,
        "helpUrl": null
      }
    },
    "manualProvisioning": false,
    "implicitAssignment": false,
    "notes": {
      "admin": null,
      "enduser": null
    },
    "oauthClient": {
      "client_uri": null,
      "logo_uri": null,
      "redirect_uris": [
        "https://test-env-100-ttl4.my.org.engineering/homepage/login/callback"
      ],
      "post_logout_redirect_uris": [
        "https://test-env-100-ttl4.my.org.engineering/homepage/"
      ],
      "response_types": [
        "code"
      ],
      "grant_types": [
        "authorization_code"
      ],
      "initiate_login_uri": "https://test-env-100-ttl4.my.org.engineering",
      "application_type": "browser",
      "consent_method": "TRUSTED",
      "issuer_mode": "ORG_URL",
      "idp_initiated_login": {
        "mode": "DISABLED",
        "default_scope": []
      },
      "wildcard_redirect": "DISABLED",
      "dpop_bound_access_tokens": false
    }
  },
  "_links": {
    "uploadLogo": {
      "href": "https://myorg.oktapreview.com/api/v1/apps/0oa267uti7vG4Jn0A0h8/logo",
      "hints": {
        "allow": [
          "POST"
        ]
      }
    },
    "appLinks": [
      {
        "name": "oidc_client_link",
        "href": "https://myorg.oktapreview.com/home/oidc_client/0oa267uti7vG4Jn0A0h8/aln5z7uhkbM6y7bMy0g7",
        "type": "text/html"
      }
    ],
    "groups": {
      "href": "https://myorg.oktapreview.com/api/v1/apps/0oa267uti7vG4Jn0A0h8/groups"
    },
    "logo": [
      {
        "name": "medium",
        "href": "https://op1static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695effffa5279bb.png",
        "type": "image/png"
      }
    ],
    "users": {
      "href": "https://myorg.oktapreview.com/api/v1/apps/0oa267uti7vG4Jn0A0h8/users"
    },
    "deactivate": {
      "href": "https://myorg.oktapreview.com/api/v1/apps/0oa267uti7vG4Jn0A0h8/lifecycle/deactivate"
    }
  }
}

but resource stuck with READY: False and SYNCED: False state
the warning message is : observe failed: cannot run refresh: refresh failed: Reference to undeclared resource: A managed resource "source" "login" has not been declared in the root module.

  Warning  CannotObserveExternalResource  2m48s (x440 over 7h13m)  managed/app.okta.upbound.io/v1alpha1, kind=oauth  cannot run refresh: refresh failed: Reference to undeclared resource: A managed resource "source" "login" has not been declared in the root module.

[eigokor]

DEBUG LOG

2024-08-23T14:29:41Z	DEBUG	provider-okta	refresh ended	{"workspace": "/tmp/cd5d4aaf-c9ca-479d-a3d3-2f6cf2e95454", "out": "{\"@level\":\"info\",\"@message\":\"Terraform 1.REDACTED.7\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2REDACTED24-REDACTED8-23T14:29:41.32REDACTED378Z\",\"terraform\":\"1.REDACTED.7\",\"type\":\"version\",\"ui\":\"1.1\"}\n{\"@level\":\"error\",\"@message\":\"Error: Reference to undeclared resource\",\"@module\":\"terraform.ui\",\"@timestamp\":\"2REDACTED24-REDACTED8-23T14:29:41.REDACTED834REDACTEDREDACTEDZ\",\"diagnostic\":{\"severity\":\"error\",\"summary\":\"Reference to undeclared resource\",\"detail\":\"A managed resource \\\"source\\\" \\\"login\\\" has not been declared in the root module.\",\"range\":{\"filename\":\"main.tf.json\",\"start\":{\"line\":1,\"column\":1161,\"byte\":116REDACTED},\"end\":{\"line\":1,\"column\":1173,\"byte\":1172}},\"snippet\":{\"context\":\"resource.okta_app_oauth.test-env-1REDACTEDREDACTED-ttl4\",\"code\":\"{\\\"provider\\\":{\\\"okta\\\":{\\\"api_token\\\":\\\"REDACTEDREDACTEDyAbUlLSQk8REDACTEDbyBpEzxaQwONQVREDACTEDT1YI8xxV-REDACTEDb27S\\\",\\\"backoff\\\":\\\"REDACTED\\\",\\\"base_url\\\":\\\"REDACTED\\\",\\\"max_retries\\\":\\\"REDACTED\\\",\\\"max_wait_seconds\\\":\\\"REDACTEDREDACTED\\\",\\\"min_wait_seconds\\\":\\\"REDACTED\\\",\\\"org_name\\\":\\\"REDACTED\\\",\\\"request_timeout\\\":\\\"REDACTED\\\"}},\\\"resource\\\":{\\\"okta_app_oauth\\\":{\\\"test-env-1REDACTEDREDACTED-ttl4\\\":{\\\"app_links_json\\\":\\\"{\\\\\\\"oidc_client_link\\\\\\\":REDACTED}\\\",\\\"app_settings_json\\\":\\\"{}\\\",\\\"auto_key_rotation\\\":REDACTED,\\\"client_id\\\":\\\"random\\\",\\\"consent_method\\\":\\\"TRUSTED\\\",\\\"grant_types\\\":[\\\"authorization_code\\\"],\\\"hide_ios\\\":REDACTED,\\\"hide_web\\\":REDACTED,\\\"issuer_mode\\\":\\\"ORG_URL\\\",\\\"label\\\":\\\"ephemeral-test-env-1REDACTEDREDACTED-ttl4 test-env-1REDACTEDREDACTED-ttl4.my.org.engineering\\\",\\\"lifecycle\\\":{\\\"prevent_destroy\\\":false},\\\"login_mode\\\":\\\"DISABLED\\\",\\\"login_uri\\\":\\\"https://test-env-1REDACTEDREDACTED-ttl4.my.org.engineering\\\",\\\"pkce_required\\\":REDACTED,\\\"post_logout_redirect_uris\\\":[\\\"https://test-env-1REDACTEDREDACTED-ttl4.my.org.engineering/homepage/\\\"],\\\"redirect_uris\\\":[\\\"https://test-env-1REDACTEDREDACTED-ttl4.my.org.engineering/homepage/login/callback\\\"],\\\"refresh_token_rotation\\\":\\\"STATIC\\\",\\\"response_types\\\":[\\\"code\\\"],\\\"status\\\":\\\"ACTIVE\\\",\\\"token_endpoint_auth_method\\\":\\\"none\\\",\\\"type\\\":\\\"browser\\\",\\\"user_name_template\\\":\\\"${source.login}\\\",\\\"user_name_template_type\\\":\\\"BUILT_IN\\\",\\\"wildcard_redirect\\\":\\\"DISABLED\\\"}}},\\\"terraform\\\":{\\\"required_providers\\\":{\\\"okta\\\":{\\\"source\\\":\\\"okta/okta\\\",\\\"version\\\":\\\"4.6.3\\\"}}}}\",\"start_line\":1,\"highlight_start_offset\":116REDACTED,\"highlight_end_offset\":1172,\"values\":[]}},\"type\":\"diagnostic\"}\n"}
2024-08-23T14:29:41Z	DEBUG	provider-okta	Cannot observe external resource	{"controller": "managed/app.okta.upbound.io/v1alpha1, kind=oauth", "request": "/test-env-100-ttl4", "uid": "cd5d4aaf-c9ca-479d-a3d3-2f6cf2e95454", "version": "696229033", "external-name": "0oa267uti7vG4Jn0A0h8", "error": "cannot run refresh: refresh failed: Reference to undeclared resource: A managed resource \"source\" \"login\" has not been declared in the root module.", "errorVerbose": "refresh failed: Reference to undeclared resource: A managed resource \"source\" \"login\" has not been declared in the root module.\ncannot run refresh\ngithub.com/upbound/upjet/pkg/controller.(*external).Observe\n\tgithub.com/upbound/[email protected]/pkg/controller/external.go:170\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*Reconciler).Reconcile\n\tgithub.com/crossplane/[email protected]/pkg/reconciler/managed/reconciler.go:805\ngithub.com/crossplane/crossplane-runtime/pkg/ratelimiter.(*Reconciler).Reconcile\n\tgithub.com/crossplane/[email protected]/pkg/ratelimiter/reconciler.go:54\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235\nruntime.goexit\n\truntime/asm_amd64.s:1594"}
2024-08-23T14:29:41Z	DEBUG	events	cannot run refresh: refresh failed: Reference to undeclared resource: A managed resource "source" "login" has not been declared in the root module.	{"type": "Warning", "object": {"kind":"Oauth","name":"test-env-100-ttl4","uid":"cd5d4aaf-c9ca-479d-a3d3-2f6cf2e95454","apiVersion":"app.okta.upbound.io/v1alpha1","resourceVersion":"696229033"}, "reason": "CannotObserveExternalResource"}

ilooks like it is related to default value for user_name_template parameter

User Name Template: ${source.login}

[eigokor]

found solution, setting userNameTemplate: "" in resource definition resolves the issue
example file can be:

kind: Oauth
metadata:
  name: example-oauth-app
spec:
  forProvider:
    label: "Example"
    type: "web"
    userNameTemplate: ""
    grantTypes:
      - authorization_code
    redirectUris:
      - "https://example.com"
    responseTypes:
      - code