This article explains why, when applying a Terraform plan, the following error can be encountered when deleting an okta_app_signon_policy:

module.authn_policies["example"].okta_app_signon_policy.policy: Destroying... [id=rst0123456789]
╷
Error: failed to list apps in preparation to delete authentication policy: %v
│
│ 403 Forbidden

• Okta Terraform Provider
• okta_app_signon_policy resource
• Okta Identity Engine

Per the Resource: okta_app_signon_policy Terraform Provider documentation, when this policy is destroyed any other applications that associate the policy as their authentication policy will be reassigned to the default/system access policy.

This means that the provider must have access to read application information and assign the application to a different Authentication Policy before the specified policy is deleted.

If using OAuth to authorize the Terraform Provider, ensure that the provider is configured to request the `okta.apps.manage` scope, that the `okta.apps.manage` scope has been granted to the API Service application (the source of the client_id in the provider configuration), and that the API Service application has sufficient admin permissions to manage the relevant applications.

If using a static API Token to authorize the Terraform Provider (set as the api_token in the provider configuration), ensure that the admin user who was issued the token has sufficient admin permissions to manage the relevant applications.