A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Two Device Assurance Policies are created that use the Chrome Device Trust integration to check device posture.
Can this be done in the Admin UI?
Yes
Can this be done in the actual API call?
Yes
Actual Behavior
Input validation in the resources rejects both, noting that Verify-specific attributes are required:
Error: Invalid Attribute Combination
│
│ with module.main.module.okta_org_settings.okta_policy_device_assurance_macos.macos_chrome,
│ on config.tf line N, in resource "okta_policy_device_assurance_macos" "macos_chrome":
│ N: resource "okta_policy_device_assurance_windows" "windows_chrome" {
│
│ At least one attribute out of [os_version,secure_hardware_present,screenlock_type] must be specified
Error: Invalid Attribute Combination
│
│ with module.main.module.okta_org_settings.okta_policy_device_assurance_windows.windows_chrome,
│ on config.tf line N, in resource "okta_policy_device_assurance_windows" "windows_chrome":
│ N: resource "okta_policy_device_assurance_windows" "windows_chrome" {
│
│ At least one attribute out of [os_version,secure_hardware_present,screenlock_type] must be specified
Specifying one of those attributes creates a policy that uses Okta Verify rather than the third-party provider.
As a temporary workaround, we specified added os_version, applied, then manually fixed the policy in the admin console. The provider doesn't see the fixed policy as requiring an update.
Steps to Reproduce
Run a terraform apply with the above configuration
Observe that the above error is encountered, preventing the creation of a third-party device assurance policy.
Important Factoids
This only seems to impact the MacOS and Windows policy resources. We successfully created a ChromeOS policy that uses the Chrome Device Trust integration via Terraform.
As noted, adding one of the attributes required by the provider's validation and then manually fixing the resulting policy works around the issue but creates a fragile resource.
Community Note
Terraform Version
1.4.6
Affected Resource(s)
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
Two Device Assurance Policies are created that use the Chrome Device Trust integration to check device posture.
Can this be done in the Admin UI?
Yes
Can this be done in the actual API call?
Yes
Actual Behavior
Input validation in the resources rejects both, noting that Verify-specific attributes are required:
Specifying one of those attributes creates a policy that uses Okta Verify rather than the third-party provider. As a temporary workaround, we specified added
os_version
, applied, then manually fixed the policy in the admin console. The provider doesn't see the fixed policy as requiring an update.Steps to Reproduce
terraform apply
with the above configurationImportant Factoids
References