oci_identity_domains_user throws error if `mfa_enabled_on` is not set or is null; should be optional

[jeliker1]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.7.4 on darwin_arm64

• provider registry.terraform.io/oracle/oci v6.13.0

Affected Resource(s)

affected_resources = oci_identity_domains_user

Terraform Configuration Files

resource "oci_identity_domains_user" "user" {
  #Required
  idcs_endpoint = var.iam_endpoint_url
  name {
    #Required
    family_name = var.family_name

    #Optional
    formatted  = var.full_name
    given_name = var.given_name
  }
  schemas = [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:userState:User"
  ]

  user_name = var.user_name

  #Optional
  emails {
    #Required
    type  = "work"
    value = var.email

    #Optional
    primary   = true
    secondary = false
  }
  emails {
    #Required
    type  = "recovery"
    value = var.recovery_email

    #Optional
    primary   = false
    secondary = false
  }
}

Debug Output

After apply we see this:

 Error: 400-BadErrorResponse, 
│ Suggestion: Please retry or contact support for help with service: Identity Domains User
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_domains_user 
│ API Reference: https://docs.oracle.com/iaas/api/#/en/identity-domains/v1/User/PutUser 
│ Request Target: PUT https://idcs-f132551e4a7c1a031362184cebb9c9f4.us-langley-idcs-1.identity.oci.oraclegovcloud.com:443/admin/v1/Users/9411defd3d40c68966114f8abc456f25?attributeSets=all 
│ Provider version: 6.13.0, released on 2024-10-12.  
│ Service: Identity Domains User 
│ Operation Name: PutUser 
│ OPC request ID: 3859c79c2e9393f78169581af166eaa6/55ALm1eMa40000000 

OCI Audit shows this

"myuser@example.com UpdateUser failed with response You provided an incorrect date format '' for attribute : urn:ietf:params:scim:schemas:oracle:idcs:extension:mfa:User:mfaEnabledOn. The correct format is: 'yyyy-MM-ddTHH:mm:ss.SSSZ'."

Per docs mfaEnabledOn is optional and may be set null.

Add this to above resource and error goes away:

  urnietfparamsscimschemasoracleidcsextensionmfa_user {
    mfa_enabled_on = "2024-10-16T17:43:00.000Z"
  }

https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/op-admin-v1-users-id-patch.html

Panic Output

Expected Behavior

Optional attributes like mfa_enabled_on should not cause error if excluded from the resource script.

Actual Behavior

Error occurs if optional attribute mfa_enabled_on is excluded from the resource script.

Steps to Reproduce

1. terraform apply
2. Note error
3. Add block to resource

   urnietfparamsscimschemasoracleidcsextensionmfa_user {
     mfa_enabled_on = "2024-10-16T17:43:00.000Z"
   }

4. terraform apply
5. Note error is gone

Important Factoids

References

• Resource documentation for mfa_enabled_on https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_domains_user#mfa_enabled_on
• UpdateUser API
  https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/op-admin-v1-users-id-patch.html