Applying Selected Webauthn Authenticators Only to okta_policy_mfa via Terraform

[Wharle2099]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform Version 1.4.6

Affected Resource(s)

• okta_policy_mfa

Terraform Configuration Files

resource "okta_policy_mfa" "human_user_mfa_policy" {
  name        = "Human User MFA Policy"
  status      = "ACTIVE"
  description = "Specifies strong MFA requirements for human users"

  fido_webauthn = {
    enroll = "OPTIONAL"
    # The issue is here: there's no ability to configure a list for allowed Yubikeys according to Terraform Docs.
  }

  groups_included = [okta_group.human_users.id]
  is_oie = true
}

Debug Output

No debug output as the terraform is technically applying correctly.

Panic Output

No panic output.

Expected Behavior

The expected behavior is Terraform removing the selection of our specific authenticators list for webauthn. What we want is a feature/bug fix to allow us to configure the list of allowed groups of webauthn authenticators through Terraform

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

I don't know. I read through the developer documents and did not see any sort of API call to do/configure this.

Actual Behavior

Terraform removed the option on the webauthn section of our MFA policy to only allow authenticators from specific webauthn groups.

Steps to Reproduce

1. Create an okta_policy_mfa resource block in terraform with fido_webauthn set to optional or required
2. In the console, create a list of allowed yubikeys that only contains Series 5 FIPS yubikeys
3. Select the option in the MFA policy on the console to only allow authenticators from a selected group and choose the yubikey list created in step 2
4. Save the policy in the console
5. Import the policy into your terraform state
6. Make a change to the policy via terraform (perhaps change the value of the fido_webauthn enroll field) and apply the terraform
7. Observe the MFA policy in the console to see that the allow authenticators from selected groups setting has been changed to any webauthn authenticators

Important Factoids

N/A

References

Terraform Okta MFA Policy Resource Documentation: https://registry.terraform.io/providers/okta/okta/latest/docs/resources/policy_mfa

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-620368

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days