terraform-provider-okta: Error: `failed to create MFA policy` : **At least one of Password or Email authenticator must be set to required.**
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v1.1.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/okta/okta v3.29.0
Affected Resource(s)
- okta_policy_mfa
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "okta_policy_mfa" "hc_okta_policy_mfa" {
name = "hc_okta_policy_mfa"
status = "ACTIVE"
description = "var.okta_policies_mfa[count.index].description"
is_oie = true
okta_otp = {
enroll = "OPTIONAL"
}
phone_number = {
enroll = "OPTIONAL"
}
okta_password = {
enroll = "OPTIONAL"
}
okta_email = {
enroll = "OPTIONAL"
}
groups_included = [local.okta-oie_group]
}
│ Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.
│
│ with module.factors_setup.okta_policy_mfa.hc_okta_policy_mfa,
│ on modules/factors/main.tf line 122, in resource "okta_policy_mfa" "hc_okta_policy_mfa":
│ 122: resource "okta_policy_mfa" "hc_okta_policy_mfa" {
resource "okta_policy_mfa" "hc_okta_policy_mfa" {
name = "hc_okta_policy_mfa"
status = "ACTIVE"
description = "var.okta_policies_mfa[count.index].description"
is_oie = true
okta_otp = {
enroll = "OPTIONAL"
}
phone_number = {
enroll = "OPTIONAL"
}
okta_password = {
enroll = "REQUIRED"
}
okta_email = {
enroll = "OPTIONAL"
}
groups_included = [local.okta-oie_group]
}
│ Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.
│
│ with module.factors_setup.okta_policy_mfa.hc_okta_policy_mfa,
│ on modules/factors/main.tf line 122, in resource "okta_policy_mfa" "hc_okta_policy_mfa":
│ 122: resource "okta_policy_mfa" "hc_okta_policy_mfa" {
Debug Output
Panic Output
│ Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.
│
│ with module.factors_setup.okta_policy_mfa.hc_okta_policy_mfa,
│ on modules/factors/main.tf line 122, in resource "okta_policy_mfa" "hc_okta_policy_mfa":
│ 122: resource "okta_policy_mfa" "hc_okta_policy_mfa" {
Expected Behavior
Should not have any Authenticator to be REQUIRED
Actual Behavior
Failing with an error if email is not enroll = "REQUIRED"
Failing with
Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required
even when password authenticator is
okta_password = {
enroll = "REQUIRED"
}
Steps to Reproduce
Create an mfa policy with email and phone authenticator as non REQUIRED enroll setting
Do terraform apply
terraform apply
Important Factoids
References
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 20
- Comments: 33 (2 by maintainers)
Commits related to this issue
- Test for Issue #1176 Closes #1176 — committed to okta/terraform-provider-okta by monde a year ago
👋🏻 @monde I think there’s a bug still here. The code shown below in okta/resource_okta_policy_mfa.go removes any specified
okta_passwordentry in anokta_policy_mfaresource causing the API error to be returned ifokta_emailis disallowed. Looking at the API activity when playing around in the Okta admin panel, it’s definitely possible to specify password authenticator policy settings contrary to the code comments. Additionally we’ve had a request to disable the feature flag mentioned,ENG_ENABLE_OPTIONAL_PASSWORD_ENROLLMENT, declined as this is the expected documented behaviour.Opening this one back up. I thought we addressed default policy in the changes for the v3.41.0 release but that doesn’t look to be the case https://github.com/okta/terraform-provider-okta/releases/tag/v3.41.0
Thanks @monde. Any idea on implementation timeframe?
Hi @ClintonianSunBlaster I try to do releases on Fridays when I have a good set of PRs merged. So it looks like a Friday release to me.
@monde
Is there a timeline for the #1427 and #1210 fixes? I assume they’ll be added into the next release in mid-February?
Also, just noting that these fixes should apply to okta_mfa_policy as well as okta_mfa_policy_default.
Thanks!
@BalaGanaparthi I verified #1427 / #1210 resolves this for your example with the caveat that the API expects
At least one of Password or Email authenticator must be set to required.. So this config now passes on an OIE org:https://github.com/okta/terraform-provider-okta/pull/1427/files#diff-757a72557e85b9bcd0f4582b30f9dc57bc74736f706f2304aafb4a6f00302b94R107-R161
This is not resolved and should still be addressed - commenting to remove stale label
@Mrorya you need to include the password resource or email resource as required e.g.
Terraform ressource okta_policy_mfa doesn’t send the okta_password authenticator configuration in the API request. The result is that the password authenticator is disabled in the policy. This is caused by the function syncAuthenticator() from https://github.com/okta/terraform-provider-okta/blob/master/okta/resource_okta_policy_mfa.go that filters the okta_password authenticator configuration.
Terraform okta_policy_mfa ressource in the deployment Z [1m # module.policies.okta_policy_mfa.okta_policy_mfa[“enr.clients.mfa”][0m will be created[0m[0m 2022-07-20T13:06:25.4242217Z [0m [32m+[0m[0m resource “okta_policy_mfa” “okta_policy_mfa” { 2022-07-20T13:06:25.4242961Z [32m+[0m [0m[1m[0mdescription[0m[0m = “Politique d’enrollement MFA pour les clients Extranet-iA.” 2022-07-20T13:06:25.4243644Z [32m+[0m [0m[1m[0mgroups_included[0m[0m = [ 2022-07-20T13:06:25.4244198Z [32m+[0m [0m"00g440z8rlIGtuUnS1d7", 2022-07-20T13:06:25.4244528Z ] 2022-07-20T13:06:25.4245252Z [32m+[0m [0m[1m[0mid[0m[0m = (known after apply) 2022-07-20T13:06:25.4245832Z [32m+[0m [0m[1m[0mis_oie[0m[0m = true 2022-07-20T13:06:25.4246422Z [32m+[0m [0m[1m[0mname[0m[0m = “enr.clients.mfa” 2022-07-20T13:06:25.4247087Z [32m+[0m [0m[1m[0mokta_email[0m[0m = { 2022-07-20T13:06:25.4247625Z [32m+[0m [0m"consent_type" = “NONE” 2022-07-20T13:06:25.4248154Z [32m+[0m [0m"enroll" = “REQUIRED” 2022-07-20T13:06:25.4248484Z } 2022-07-20T13:06:25.4248965Z [32m+[0m [0m[1m[0mokta_password[0m[0m = { 2022-07-20T13:06:25.4249511Z [32m+[0m [0m"consent_type" = “NONE” 2022-07-20T13:06:25.4250037Z [32m+[0m [0m"enroll" = “REQUIRED” 2022-07-20T13:06:25.4250366Z } 2022-07-20T13:06:25.4250858Z [32m+[0m [0m[1m[0mokta_verify[0m[0m = { 2022-07-20T13:06:25.4251395Z [32m+[0m [0m"consent_type" = “NONE” 2022-07-20T13:06:25.4251931Z [32m+[0m [0m"enroll" = “OPTIONAL” 2022-07-20T13:06:25.4252257Z } 2022-07-20T13:06:25.4252736Z [32m+[0m [0m[1m[0mphone_number[0m[0m = { 2022-07-20T13:06:25.4253281Z [32m+[0m [0m"consent_type" = “NONE” 2022-07-20T13:06:25.4253809Z [32m+[0m [0m"enroll" = “OPTIONAL” 2022-07-20T13:06:25.4254195Z } 2022-07-20T13:06:25.4254674Z [32m+[0m [0m[1m[0mpriority[0m[0m = 1 2022-07-20T13:06:25.4255231Z [32m+[0m [0m[1m[0msecurity_question[0m[0m = { 2022-07-20T13:06:25.4255776Z [32m+[0m [0m"consent_type" = “NONE” 2022-07-20T13:06:25.4256311Z [32m+[0m [0m"enroll" = “NOT_ALLOWED” 2022-07-20T13:06:25.4256645Z } 2022-07-20T13:06:25.4257136Z [32m+[0m [0m[1m[0mstatus[0m[0m = “ACTIVE” 2022-07-20T13:06:25.4257476Z }
API Request sent from Terraform - Note that the okta_password section is not sent: 2022-07-20T13:06:26.1719458Z —[ REQUEST ]--------------------------------------- 2022-07-20T13:06:26.1719865Z POST /api/v1/policies HTTP/1.1 2022-07-20T13:06:26.1720372Z Host: wealth-accp2-ia.oktapreview.com 2022-07-20T13:06:26.1721030Z User-Agent: okta-sdk-golang/2.13.1 golang/go1.17.11 linux/amd64 okta-terraform/3.31.0 2022-07-20T13:06:26.1721591Z Content-Length: 493 2022-07-20T13:06:26.1721941Z Accept: application/json 2022-07-20T13:06:26.1722389Z Authorization: SSWS *** 2022-07-20T13:06:26.1722866Z Content-Type: application/json 2022-07-20T13:06:26.1723332Z Accept-Encoding: gzip 2022-07-20T13:06:26.1723498Z 2022-07-20T13:06:26.1723752Z { 2022-07-20T13:06:26.1724029Z “conditions”: { 2022-07-20T13:06:26.1724327Z “people”: { 2022-07-20T13:06:26.1724611Z “groups”: { 2022-07-20T13:06:26.1724901Z “include”: [ 2022-07-20T13:06:26.1725219Z “00g440z8rlIGtuUnS1d7” 2022-07-20T13:06:26.1725520Z ] 2022-07-20T13:06:26.1725774Z } 2022-07-20T13:06:26.1726027Z } 2022-07-20T13:06:26.1726280Z }, 2022-07-20T13:06:26.1726833Z “description”: “Politique d’enrollement MFA pour les clients Extranet-iA.”, 2022-07-20T13:06:26.1727266Z “name”: “enr.clients.mfa”, 2022-07-20T13:06:26.1727586Z “priority”: 1, 2022-07-20T13:06:26.1727895Z “status”: “ACTIVE”, 2022-07-20T13:06:26.1728220Z “type”: “MFA_ENROLL”, 2022-07-20T13:06:26.1728530Z “settings”: { 2022-07-20T13:06:26.1728835Z “authenticators”: [ 2022-07-20T13:06:26.1729127Z { 2022-07-20T13:06:26.1729416Z “key”: “okta_email”, 2022-07-20T13:06:26.1729726Z “enroll”: { 2022-07-20T13:06:26.1730032Z “self”: “REQUIRED” 2022-07-20T13:06:26.1730336Z } 2022-07-20T13:06:26.1730595Z }, 2022-07-20T13:06:26.1730853Z { 2022-07-20T13:06:26.1731142Z “key”: “okta_verify”, 2022-07-20T13:06:26.1731447Z “enroll”: { 2022-07-20T13:06:26.1731748Z “self”: “OPTIONAL” 2022-07-20T13:06:26.1732034Z } 2022-07-20T13:06:26.1732292Z }, 2022-07-20T13:06:26.1732545Z { 2022-07-20T13:06:26.1732833Z “key”: “phone_number”, 2022-07-20T13:06:26.1733139Z “enroll”: { 2022-07-20T13:06:26.1733438Z “self”: “OPTIONAL” 2022-07-20T13:06:26.1733721Z } 2022-07-20T13:06:26.1733975Z }, 2022-07-20T13:06:26.1734229Z { 2022-07-20T13:06:26.1734525Z “key”: “security_question”, 2022-07-20T13:06:26.1734846Z “enroll”: { 2022-07-20T13:06:26.1735152Z “self”: “NOT_ALLOWED” 2022-07-20T13:06:26.1735445Z } 2022-07-20T13:06:26.1735698Z } 2022-07-20T13:06:26.1736078Z ], 2022-07-20T13:06:26.1736374Z “type”: “AUTHENTICATORS” 2022-07-20T13:06:26.1736672Z } 2022-07-20T13:06:26.1736936Z } 2022-07-20T13:06:26.1737043Z 2022-07-20T13:06:26.1737684Z -----------------------------------------------------: timestamp=2022-07-20T13:06:26.136Z 2022-07-20T13:06:26.2431405Z 2022-07-20T13:06:26.241Z [INFO] provider.terraform-provider-okta_v3.31.0: 2022/07/20 13:06:26 [DEBUG] Okta API Response Details: 2022-07-20T13:06:26.2432688Z —[ RESPONSE ]-------------------------------------- 2022-07-20T13:06:26.2433372Z HTTP/2.0 200 OK
The function that removes the okta_password section: func syncAuthenticator(d *schema.ResourceData, k string, authenticators []*sdk.PolicyAuthenticator) { for _, authenticator := range authenticators { if authenticator.Key == k { // Skip OktaPassword as this should never be returned for MFA policies using authenticator. // Enrollment policy changes for OIE for password // https://help.okta.com/okta_help.htm?type=oie&id=ext-about-mfa-enrol-policies if k != sdk.OktaPasswordFactor { _ = d.Set(k, map[string]interface{}{ “enroll”: authenticator.Enroll.Self, }) } return } } }
Reopening this.
@nicholasconnelly @BalaGanaparthi check out #1194 . It just updates our tests and documentation. TL;DR you need to contact support to have feature flag
OKTA_MFA_POLICYenabled (which it probably already is given your comments) and also have feature flagENG_ENABLE_OPTIONAL_PASSWORD_ENROLLMENTdisabled to remove the need forokta_emailorotka_passwordbe present withenroleset toREQUIRED.