Cannot set a default MFA Device Policy

[dbryar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

PingOne Terraform provider Version

terraform {
  required_version = ">= 1.4.0"
  required_providers {
    pingone = {
      source  = "pingidentity/pingone"
      version = "~> 0.13.1"
    }
    davinci = {
      source  = "pingidentity/davinci"
      version = "~> 0.1.3"
    }
  }
}

Affected Resource(s)

• pingone_mfa_policy

Terraform Configuration Files

resource "pingone_mfa_policy" "mfa_policy" {
  environment_id = pingone_environment.dev.id
  name           = "MFA Policy"
  security_key {
    enabled = false
  }
  platform {
    enabled = false
  }
  device_selection = "DEFAULT_TO_FIRST"
  email {
    enabled                       = true
    otp_failure_count             = 3
    otp_failure_cooldown_duration = 0
    otp_failure_cooldown_timeunit = "MINUTES"
    otp_lifetime_duration         = 30
    otp_lifetime_timeunit         = "MINUTES"
  }
  mobile {
    enabled                       = false
  }
  sms {
    enabled                       = true
    otp_failure_count             = 3
    otp_failure_cooldown_duration = 0
    otp_failure_cooldown_timeunit = "MINUTES"
    otp_lifetime_duration         = 30
    otp_lifetime_timeunit         = "MINUTES"
  }
  totp {
    enabled                       = true
    otp_failure_count             = 3
    otp_failure_cooldown_duration = 2
    otp_failure_cooldown_timeunit = "MINUTES"
  }
  voice {
    enabled                       = false
  }
  // default                      = true
}

API Documentation

Property	Type	Required?	Mutable?	Description
default	Boolean	Required	Mutable	Whether this is the default policy for Flow Manager.

Actual Behavior

default is not allowed

Steps to Reproduce

1. Uncomment default line in HCL
2. terraform plan

Important Factoids

There is no other way to set a default MFA policy in Ping One, except through an API call to update this policy

References

I may have already mentioned the problem with defaults in Populations, although the issue was close last week

[patrickcping]

hey @dbryar thanks for raising! Yes this is a deliberate limitation on the pingone_mfa_policy for the same reasons as described here.

Setting an environment default will need to be a separate resource (e.g. pingone_mfa_policy_default) as an enhancement so that the apply phase doesn't get locked