Terraform Profile Mapping not setting value for existing users

I have the following terraform code to set a boolean property on the user profile based on the email extension. The terraform code deploys fine and the mapping shows up in the okta admin but the rule is not applied to existing users (property remains ‘undefined’). I believe the ‘always_apply’ should update the existing users. I am using an api token to hook terraform into okta (regarding the warning: " always_apply is available only when using api token in the provider config.")

data "okta_user_profile_mapping_source" "user" {}
data "okta_idp_oidc" "enterprise_okta_federation_policy" {
  name = "Enterprise Okta Federation Policy"
}

resource "okta_profile_mapping" "user_profile_mapping" {
  source_id          = data.okta_idp_oidc.enterprise_okta_federation_policy.id
  target_id          = data.okta_user_profile_mapping_source.user.id
  always_apply       = true

  mappings {
    id          = "internalUser"
    expression  = "String.stringContains(appuser.email, 'somewhere.com') || String.stringContains(appuser.email, 'elsewhere.com')"
    push_status = "PUSH"
  }
}

Is there something I’m missing to get the rule to apply to existing users?

I have the same issue. Did you find the resolution for this ?

We ended up taking a slightly different route. We realized we didn’t need an expression to calculate the mapping after all and ended up just assigning it a direct boolean value. I can’t remember if we ever got the expression working where it calculated the boolean value based on the email.

resource "okta_profile_mapping" "user_profile_mapping" {
  source_id          = okta_idp_oidc.enterprise_okta_federation_policy.id
  target_id          = data.okta_user_profile_mapping_source.user.id
  always_apply       = true
  delete_when_absent = false

  mappings {
    id          = "login"
    expression  = "appuser.email"
  }

  # other profile mappings that we wanted to keep...

  mappings {
    id          = "internalUser"
    expression  = "true"
  }