Office 365-specific policy cannot be properly configured

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.

https://registry.terraform.io/providers/okta/okta

Mozilla Public License 2.0

259 stars 209 forks source link

Office 365-specific policy cannot be properly configured #1387

Open eduhamel opened 1 year ago

eduhamel commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Office 365-specific policy rule cannot be properly configured as the office365Client attribute is not available nor retrieved.

New or Affected Resource(s)

okta_app_signon_policy_rule

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

0000

lucascantor commented 1 year ago

From what we've seen, it's also impossible to configure Windows-Autopilot-specific auth policy rules due to the lack of a suitable client argument in the okta_app_signon_policy_rule resource:

monde commented 1 year ago

I think this one will benefit when we bring better Okta Integration Network app support into the API

Other issues having touches on OIN: https://github.com/okta/terraform-provider-okta/issues/1304 https://github.com/okta/terraform-provider-okta/issues/1342

Okta Internal Reference: https://oktainc.atlassian.net/browse/OKTA-552937

monde commented 1 year ago

Also, I'm told last week, from the 15th to the 17th, there was a greater issue with the office365 app across the Okta service, see: https://status.okta.com/#incident/a9C4z000000Yzi5EAC @eduhamel can you try running your config again?

eduhamel commented 1 year ago

This is not related to the office365 issue that occurred last week, I just tested it again.

Le mar. 29 nov. 2022 à 17:22, Mike Mondragon @.***> a écrit :

Also, I'm told last week, from the 15th to the 17th, there was a greater issue with the office365 app across the Okta service, see: https://status.okta.com/#incident/a9C4z000000Yzi5EAC @eduhamel https://github.com/eduhamel can you try running your config again?

— Reply to this email directly, view it on GitHub https://github.com/okta/terraform-provider-okta/issues/1387#issuecomment-1330906591, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATCHKD7TZOJHM63FLRDAVXTWKYUV5ANCNFSM6AAAAAASNCTHRA . You are receiving this because you were mentioned.Message ID: @.***>

Etienne Duhamel

Consultant Cybersécurité

https://www.facebook.com/SynetisFR/ https://fr.linkedin.com/company/synetis https://twitter.com/SYNETIS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor

@.***

M : +33 (0)7 64 46 85 78 Tél :+33 1 47 64 48 66

www.synetis.com | 19 rue du Général Foy, 75008 Paris

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

lucascantor commented 1 year ago

not stale

ianwinsemius commented 1 year ago

I'm also running into this, the inability to set the attribute below via terraform means that any 2fa config in your sign-on policy resources gets wiped out on apply, but without an error.

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

is the response I get with the following constraints configured:

constraints = {
    knowledge = {
      reauthenticateIn = "PT2H"
      types            = ["password", ]
    },
    possession = {
      deviceBound        = "REQUIRED"
      hardwareProtection = "REQUIRED"
    }
  }

but the UI shows this is not configured Screen Shot 2023-03-02 at 12 27 08 PM

This is the missing attribute that I can set via the API to successfully configure these rules outside of the UI.

"office365Client": {
                "include": [
                    "WEB"
                ]
            }

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

lucascantor commented 1 year ago

not stale

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

lucascantor commented 1 year ago

not stale

jodoscott commented 1 year ago

not stale

exitcode0 commented 1 year ago

not stale

Bumping issues to ward off StaleBot should no longer be required If the Stale Label isn't on the issue, it shouldn't get closed out See the following PRs for reference 🙂 https://github.com/okta/terraform-provider-okta/pull/1697 https://github.com/okta/terraform-provider-okta/pull/1688

this means that we can now all follow the community notice and keep issue comments clean and on-topic 😃

Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request

steveAG commented 1 year ago

This is exposed in the API @monde, specifically, it's stored in the conditions.office365Client.include signon rule attribute. However, it doesn't appear to be in the Go SDK, which is a blocker for adding it to the provider.

Updating a policy rule through Terraform clears the value. We've been using a script to keep it set to the desired value (along with the device assurance policy attribute before that was released in v4.2.0), but that approach is increasingly problematic since the Python SDK is pretty far behind because it hasn't been updated for the v3 API (ie we just broke it with Chrome Device Trust policies).

Example M365 rule retrieved via API:

{
        "id": "rul68xxx",
        "status": "ACTIVE",
        "name": "<Name>",
        "priority": 3,
        "created": "2023-06-30T18:58:01.000Z",
        "lastUpdated": "2023-10-11T21:35:42.000Z",
        "system": false,
        "conditions": {
            "people": {
                "users": {
                    "exclude": []
                }
            },
            "network": {
                "connection": "ANYWHERE"
            },
            "device": {
                "registered": true,
                "managed": true
            },
            "riskScore": {
                "level": "ANY"
            },
            "elCondition": {
                "condition": "<endpoint integration>"
            },
            "userType": {
                "include": [],
                "exclude": []
            },
            "office365Client": {
                "include": [
                    "MODERN_AUTH",
                    "WEB"
                ]
            }
        }
}

monde commented 1 year ago

@eduhamel the Okta API is rolling out EA access for configuring an O365 OIN app (and other OIN apps) via the Okta API in November/December. I believe it will be GA in January. Once that is deployed we'll be able to generate an okta-sdk-golang that the terraform provider uses to communicate with the API and 100% support the office 365 OIN app in terraform.

cc: @duytiennguyen-okta @jefftaylor-okta

duytiennguyen-okta commented 1 year ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-658283

MScottBlake commented 2 months ago

Can anyone provide an update on this issue? It's been 11 months since the internal ticket was created and there is no indication of a timeline to resolution.