Intermittent validation issue for okta_authenticator

[okra-okta]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.4.6 on darwin_amd64

Affected Resource(s)

• okta_authenticator

Terraform Configuration Files

resource "okta_authenticator" "security_key" {
  name     = "Security Key or Biometric"
  key      = "webauthn"
  provider_hostname = "localhost"
  provider_user_name_template = "global.assign.userName.login"
  status = "ACTIVE"
  settings = jsonencode(
  {
    "compliance" : {
      "fips": "OPTIONAL"
    }
  }
  )
}

Debug Output

Error: for authenticator type 'security_key' fields 'provider_hostname', 'provider_auth_port', 'provider_shared_secret', and 'provider _user_name_template' are required

Expected Behavior

Authenticator should be created successfully

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

Yes

Actual Behavior

Error says that optional arguments are required.

Steps to Reproduce

1. terraform plan
2. terraform apply

Important Factoids

References

• https://registry.terraform.io/providers/okta/okta/latest/docs/resources/authenticator
• https://developer.okta.com/docs/reference/api/authenticators-admin/#authenticator-object

[monde]

From Slacking with @okra-okta, the code in question is at https://github.com/okta/terraform-provider-okta/blob/master/okta/resource_okta_authenticator.go#L318-L327

[monde]

Speaking with PM @jefftaylor-okta we need to revisit all of the authenticators support given the importance of passwordless authentication.

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-608740

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[lucascantor]

Providing null for these missing values has worked reliably for us:

resource "okta_authenticator" "webauthn" {
  name                        = "Security Key or Biometric"
  key                         = "webauthn"
  status                      = "ACTIVE"
  provider_hostname           = null
  provider_auth_port          = null
  provider_shared_secret      = null
  provider_user_name_template = null
}

[flyweight]

Any updates on this? I am seeing the same issue as the original poster with the following settings:

resource "okta_authenticator" "webauthn" {
  name = "WebAuthn"
  key = "webauthn"

  # Seems to throw an error when the settings argument is defined:

  settings = jsonencode(
    {
      "allowedFor": "authentication",
      "userVerification": "REQUIRED"
    }
  )

  # The following values were pulled from a data source:
  provider_hostname = "localhost"
  provider_auth_port = null
  provider_shared_secret = null
  provider_user_name_template = "global.assign.userName.login"
}

Thanks