A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Affected Resource(s)
resource okta_policy_mfa
Expected Behavior
okta_policy_mfa should:
not instantiate with authenticators that are not enabled (e.g symantic_vip)
not save to state if a drift remediation / update fails
detect if an authenticator is disabled completely as this will require setting enroll = "NOT_ALLOWED" which should be considered drift if the configuration is either enroll = "REQUIRED" or enroll = "OPTIONAL"
Actual Behavior
okta_policy_mfa behaves as follows:
can instantiate with certain authenticators blocks present in config that are not enabled in the okta instance (symantic_vip in my example)
can save a invalid authenticators to the state file if present in config during drift remediation / update
fails to detect if an authenticator have since been disabled in the okta instance
it will detect and attempt to remediate when another change happens to a attributes it does consider drift
will re-enable the authenticator in some circumstances (likely due to how authenticators are only ever soft deleted)
Do you have a workaround?
These bugs can be worked around using the Admin UI or Admin Management API
because the bugs are in the terraform provider layer (as far as I can tell)
Important Factoids
I've come across these bugs whilst attempting to troubleshoot one of my own, it's unclear to me if these are the bug(s) I'm experiencing
I suspect that this resource may be buggy when authenticators are disabled, which is what I suspected caused my current issue
Community Note
Affected Resource(s)
okta_policy_mfa
Expected Behavior
okta_policy_mfa
should:enroll = "NOT_ALLOWED"
which should be considered drift if the configuration is eitherenroll = "REQUIRED"
orenroll = "OPTIONAL"
Actual Behavior
okta_policy_mfa
behaves as follows:symantic_vip
in my example)Do you have a workaround?
These bugs can be worked around using the Admin UI or Admin Management API because the bugs are in the terraform provider layer (as far as I can tell)
Important Factoids
I've come across these bugs whilst attempting to troubleshoot one of my own, it's unclear to me if these are the bug(s) I'm experiencing I suspect that this resource may be buggy when authenticators are disabled, which is what I suspected caused my current issue
References / Related issues
Terraform Version
Terraform Configuration Files
Click to Expand | main.tf
`main.tf` ```hcl terraform { required_providers { okta = { source = "okta/okta" version = "3.41.0" } } } provider "okta" { org_name = var.OKTA_ORG_NAME base_url = var.OKTA_BASE_URL api_token = var.OKTA_API_TOKEN max_api_capacity = 90 } variable "OKTA_ORG_NAME" {} variable "OKTA_BASE_URL" {} variable "OKTA_API_TOKEN" { sensitive = true } ```Click to Expand | policy_mfa.tf
`policy_mfa.tf` ```hcl resource "okta_group" "test_group" { name = "test_mfa_policy" description = "Requires both Okta Verify and WebAuthn" skip_users = true } locals { instance_url = "https://${var.OKTA_ORG_NAME}.${var.OKTA_BASE_URL}" } data "http" "authenticators" { url = "${local.instance_url}/api/v1/authenticators" request_headers = { Authorization = "SSWS ${var.OKTA_API_TOKEN}" } } output "raw_authenticators" { value = jsondecode(data.http.authenticators.body) } output "authenticators" { value = { for factor in jsondecode(data.http.authenticators.body) : factor.key => factor.status } } output "group_id" { value = okta_group.test_group.id } resource "okta_policy_mfa" "test_mfa_policy" { priority = 1 is_oie = true status = "ACTIVE" name = "test_mfa_policy" groups_included = [ okta_group.test_group.id, ] okta_email = { "enroll" = "REQUIRED" } okta_verify = { "enroll" = "REQUIRED" } okta_password = { "enroll" = "REQUIRED" } webauthn = { "enroll" = "REQUIRED" } security_question = { "enroll" = "NOT_ALLOWED" } symantec_vip = { "enroll" = "NOT_ALLOWED" } # duo = { # "enroll" = "NOT_ALLOWED" # } } resource "okta_policy_rule_mfa" "mfa_rule_require_verify_webauthn" { priority = 1 status = "ACTIVE" name = "Enrolment Rule" enroll = "CHALLENGE" network_connection = "ANYWHERE" policy_id = okta_policy_mfa.test_mfa_policy.id users_excluded = [] } ```Steps to Reproduce
Click to Expand | Steps to Reproduce
```bash #!/usr/bin/env bash echo "$(pwd)" echo 'proceed? (y/n)' read answer if [ "$answer" == "y" ]; then echo "Proceeding..." elif [ "$answer" == "n" ]; then echo "Exiting..." exit 1 fi # TF_LOG=DEBUG # TF_LOG=INFO OKTA_ORG_NAME="" # this script was tested against a dev-xxxxx instance OKTA_BASE_URL="okta.com" OKTA_API_TOKEN="" # ### `Destroy` or `rm` ensure we have a clean starting point terraform destroy --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_destroy.txt rm ./*.tfstate* terraform apply --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_1.txt # sed -i doesnt want to work for me for some reason - ¯\_(ツ)_/¯ # uncomment duo mfa block pbcopy < ./sandbox.tf && pbpaste | sed 's/ # /\ /g' > ./sandbox.tf terraform apply --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_2.txt # sed -i doesnt want to work for me for some reason - ¯\_(ツ)_/¯ # recomment duo mfa block after realising your mistake # note that line numbers are hard-coded 51-53 pbcopy < ./sandbox.tf && pbpaste | sed '51,53 s/^ / # /' > ./sandbox.tf policy_id="$(cat ./terraform.tfstate |jq -r '.resources[] | select(.name == "test_mfa_policy") | .instances[0].attributes.id')" group_id="$(cat ./terraform.tfstate |jq -r '.resources[] | select(.name == "test_group") | .instances[0].attributes.id')" # cause drift on purpose echo "policy_id - \"$policy_id\"" echo "group_id - \"$group_id\"" curl -X 'PUT' -i "https://$OKTA_ORG_NAME.$OKTA_BASE_URL/api/v1/policies/$policy_id" \ -H "Authorization: SSWS $OKTA_API_TOKEN" -H 'Content-Type: application/json' \ --data-raw '{"name":"test_mfa_policy","priority":1,"status":"ACTIVE","system":false,"type":"MFA_ENROLL","conditions":{"people":{"groups":{"include":["'$group_id'"]}}},"settings":{"type":"AUTHENTICATORS","authenticators":[{"key":"okta_email","enroll":{"self":"REQUIRED"}},{"key":"okta_verify","enroll":{"self":"REQUIRED"}},{"key":"okta_password","enroll":{"self":"REQUIRED"}},{"key":"webauthn","enroll":{"self":"OPTIONAL"}},{"key":"security_question","enroll":{"self":"NOT_ALLOWED"}}],"isUserAgreementContent":false}}' \ --compressed terraform apply --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_3.txt echo "tf state is in unrecoverable state" echo "running terraform apply will now never succeed" echo "can be fixed by running - \"terraform state rm\" then \"terraform state import\"" ```