Can't create okta.policy.RuleMfa without password authenticator

What happened?

@pulumi/okta version: 3.22.0

Getting an error when trying to create an authenticator enrollment policy with only email as required.

Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.

Code

new okta.policy.Mfa('my-mfa-policy', {
  name: 'MFA policy',
  groupsIncludeds: [everyone],
  status: 'ACTIVE',

  oktaEmail: { enrol: 'REQUIRED' },
  oktaPassword: { enroll: 'NOT_ALLOWED' }, // FIXME - this is not working
  googleOtp: { enroll: 'NOT_ALLOWED' },
  phoneNumber: { enroll: 'NOT_ALLOWED' },
});

Expected Behavior

Based on the doc Unless Org Feature FlagENG_ENABLE_OPTIONAL_PASSWORD_ENROLLMENTis ***disabled***oktaPasswordoroktaEmailmust be present and itsenrollvalue set toREQUIRED. Contact support to have this feature flag ***disabled***. I should be able to create the resource since the oktaEmail is required.

So the expected behavior is to have the authenticator enrollment policy created.

If I go to the UI and change manually, I do achieve the desired result.

Steps to reproduce

Install @pulumi/okta:3.22.0
Create an authenticator enrollment policy like described before
Run it and you will see the error described before

Output of `pulumi about`

failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

pulumi / pulumi-okta