terraform-provider-okta
terraform-provider-okta copied to clipboard
okta
Error: `failed to create MFA policy` : **At least one of Password or Email authenticator must be set to required.**
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v1.1.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/okta/okta v3.29.0
Affected Resource(s)
- okta_policy_mfa
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "okta_policy_mfa" "hc_okta_policy_mfa" {
name = "hc_okta_policy_mfa"
status = "ACTIVE"
description = "var.okta_policies_mfa[count.index].description"
is_oie = true
okta_otp = {
enroll = "OPTIONAL"
}
phone_number = {
enroll = "OPTIONAL"
}
okta_password = {
enroll = "OPTIONAL"
}
okta_email = {
enroll = "OPTIONAL"
}
groups_included = [local.okta-oie_group]
}
│ Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.
│
│ with module.factors_setup.okta_policy_mfa.hc_okta_policy_mfa,
│ on modules/factors/main.tf line 122, in resource "okta_policy_mfa" "hc_okta_policy_mfa":
│ 122: resource "okta_policy_mfa" "hc_okta_policy_mfa" {
resource "okta_policy_mfa" "hc_okta_policy_mfa" {
name = "hc_okta_policy_mfa"
status = "ACTIVE"
description = "var.okta_policies_mfa[count.index].description"
is_oie = true
okta_otp = {
enroll = "OPTIONAL"
}
phone_number = {
enroll = "OPTIONAL"
}
okta_password = {
enroll = "REQUIRED"
}
okta_email = {
enroll = "OPTIONAL"
}
groups_included = [local.okta-oie_group]
}
│ Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.
│
│ with module.factors_setup.okta_policy_mfa.hc_okta_policy_mfa,
│ on modules/factors/main.tf line 122, in resource "okta_policy_mfa" "hc_okta_policy_mfa":
│ 122: resource "okta_policy_mfa" "hc_okta_policy_mfa" {
Debug Output
Panic Output
│ Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.
│
│ with module.factors_setup.okta_policy_mfa.hc_okta_policy_mfa,
│ on modules/factors/main.tf line 122, in resource "okta_policy_mfa" "hc_okta_policy_mfa":
│ 122: resource "okta_policy_mfa" "hc_okta_policy_mfa" {
Expected Behavior
Should not have any Authenticator to be REQUIRED
Actual Behavior
Failing with an error if email is not enroll = "REQUIRED"
Failing with
Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required
even when password authenticator is
okta_password = {
enroll = "REQUIRED"
}
Steps to Reproduce
Create an mfa policy with email and phone authenticator as non REQUIRED enroll setting
Do terraform apply
-
terraform apply
Important Factoids
References
- #0000
@BalaGanaparthi that error "At least one of Password or Email authenticator must be set to required" is coming from the API itself so this seems to be a policy setting mismatch.
We have an ACC test TestAccOktaMfaPolicy_crud and all of the enroll's in the example TF are optional and the test passes:
TF_ACC=1 go test -tags unit -mod=readonly -test.v -run ^TestAccOktaMfaPolicy_crud$ ./okta 2>&1
=== RUN TestAccOktaMfaPolicy_crud
--- PASS: TestAccOktaMfaPolicy_crud (12.02s)
PASS
ok github.com/okta/terraform-provider-okta/okta 12.659s
https://github.com/okta/terraform-provider-okta/blob/6ddf5aa3a874ca8a254fe8d707bf21cc61dc4cf5/okta/resource_okta_policy_mfa_test.go#L16-L54
https://github.com/okta/terraform-provider-okta/blob/6ddf5aa3a874ca8a254fe8d707bf21cc61dc4cf5/examples/okta_policy_mfa/basic_updated.tf
hi @monde , have you tried this with an OIE tenant and policy? I'm having the same issue above. I've tried multiple permutations of setting okta_email and okta_password as optional / required. I believe the issue is with the okta_password resource. When I set the email okta_authenticator resource as allowed for authenticaiton, and then set email as required in the MFA policy, I can bypass this error. However the resultant policy will be incorrect.
For example, my Terraform resource:
resource "okta_policy_mfa" "customers" {
name = "Customers"
status = "ACTIVE"
description = "SMS Policy"
is_oie = true
priority = 1
okta_password = {
enroll = "REQUIRED"
}
okta_email = {
enroll = "REQUIRED"
}
okta_verify = {
enroll = "OPTIONAL"
}
phone_number = {
enroll = "OPTIONAL"
}
groups_included = [
okta_group.customers.id
]
}
The resultant policy ends up with password disabled:
@nicholasconnelly thanks for the additional information, that is helpful background.
@nicholasconnelly confirmed, @BalaGanaparthi helped me get my OIE testing org set up with the correct feature flag to get the ACC test to fail:
TF_ACC=1 go test -tags unit -mod=readonly -test.v -run ^TestAccOktaMfaPolicy_crud$ ./okta 2>&1
=== RUN TestAccOktaMfaPolicy_crud
resource_okta_policy_mfa_test.go:24: Step 1/2 error: Error running apply: exit status 1
Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: At least one of Password or Email authenticator must be set to required.
with okta_policy_mfa.test,
on terraform_plugin_test.tf line 5, in resource "okta_policy_mfa" "test":
5: resource "okta_policy_mfa" "test" {
--- FAIL: TestAccOktaMfaPolicy_crud (2.46s)
FAIL
FAIL github.com/okta/terraform-provider-okta/okta 4.108s
FAIL
@nicholasconnelly @BalaGanaparthi check out #1194 . It just updates our tests and documentation. TL;DR you need to contact support to have feature flag OKTA_MFA_POLICY enabled (which it probably already is given your comments) and also have feature flag ENG_ENABLE_OPTIONAL_PASSWORD_ENROLLMENT disabled to remove the need for okta_email or otka_password be present with enrole set to REQUIRED.
Released in https://github.com/okta/terraform-provider-okta/releases/tag/v3.31.0
👋🏻 @monde I think there's a bug still here. The code shown below in okta/resource_okta_policy_mfa.go removes any specified okta_password entry in an okta_policy_mfa resource causing the API error to be returned if okta_email is disallowed. Looking at the API activity when playing around in the Okta admin panel, it's definitely possible to specify password authenticator policy settings contrary to the code comments. Additionally we've had a request to disable the feature flag mentioned, ENG_ENABLE_OPTIONAL_PASSWORD_ENROLLMENT, declined as this is the expected documented behaviour.
_ = d.Set("is_oie", settings.Type == "AUTHENTICATORS")
if settings.Type == "AUTHENTICATORS" {
for _, key := range remove(sdk.AuthenticatorProviders, sdk.OktaPasswordFactor) {
syncAuthenticator(d, key, settings.Authenticators)
}
} else {
...
}
}
Terraform ressource okta_policy_mfa doesn't send the okta_password authenticator configuration in the API request. The result is that the password authenticator is disabled in the policy. This is caused by the function syncAuthenticator() from https://github.com/okta/terraform-provider-okta/blob/master/okta/resource_okta_policy_mfa.go that filters the okta_password authenticator configuration.
Terraform okta_policy_mfa ressource in the deployment Z [1m # module.policies.okta_policy_mfa.okta_policy_mfa["enr.clients.mfa"][0m will be created[0m[0m 2022-07-20T13:06:25.4242217Z [0m [32m+[0m[0m resource "okta_policy_mfa" "okta_policy_mfa" { 2022-07-20T13:06:25.4242961Z [32m+[0m [0m[1m[0mdescription[0m[0m = "Politique d'enrollement MFA pour les clients Extranet-iA." 2022-07-20T13:06:25.4243644Z [32m+[0m [0m[1m[0mgroups_included[0m[0m = [ 2022-07-20T13:06:25.4244198Z [32m+[0m [0m"00g440z8rlIGtuUnS1d7", 2022-07-20T13:06:25.4244528Z ] 2022-07-20T13:06:25.4245252Z [32m+[0m [0m[1m[0mid[0m[0m = (known after apply) 2022-07-20T13:06:25.4245832Z [32m+[0m [0m[1m[0mis_oie[0m[0m = true 2022-07-20T13:06:25.4246422Z [32m+[0m [0m[1m[0mname[0m[0m = "enr.clients.mfa" 2022-07-20T13:06:25.4247087Z [32m+[0m [0m[1m[0mokta_email[0m[0m = { 2022-07-20T13:06:25.4247625Z [32m+[0m [0m"consent_type" = "NONE" 2022-07-20T13:06:25.4248154Z [32m+[0m [0m"enroll" = "REQUIRED" 2022-07-20T13:06:25.4248484Z } 2022-07-20T13:06:25.4248965Z [32m+[0m [0m[1m[0mokta_password[0m[0m = { 2022-07-20T13:06:25.4249511Z [32m+[0m [0m"consent_type" = "NONE" 2022-07-20T13:06:25.4250037Z [32m+[0m [0m"enroll" = "REQUIRED" 2022-07-20T13:06:25.4250366Z } 2022-07-20T13:06:25.4250858Z [32m+[0m [0m[1m[0mokta_verify[0m[0m = { 2022-07-20T13:06:25.4251395Z [32m+[0m [0m"consent_type" = "NONE" 2022-07-20T13:06:25.4251931Z [32m+[0m [0m"enroll" = "OPTIONAL" 2022-07-20T13:06:25.4252257Z } 2022-07-20T13:06:25.4252736Z [32m+[0m [0m[1m[0mphone_number[0m[0m = { 2022-07-20T13:06:25.4253281Z [32m+[0m [0m"consent_type" = "NONE" 2022-07-20T13:06:25.4253809Z [32m+[0m [0m"enroll" = "OPTIONAL" 2022-07-20T13:06:25.4254195Z } 2022-07-20T13:06:25.4254674Z [32m+[0m [0m[1m[0mpriority[0m[0m = 1 2022-07-20T13:06:25.4255231Z [32m+[0m [0m[1m[0msecurity_question[0m[0m = { 2022-07-20T13:06:25.4255776Z [32m+[0m [0m"consent_type" = "NONE" 2022-07-20T13:06:25.4256311Z [32m+[0m [0m"enroll" = "NOT_ALLOWED" 2022-07-20T13:06:25.4256645Z } 2022-07-20T13:06:25.4257136Z [32m+[0m [0m[1m[0mstatus[0m[0m = "ACTIVE" 2022-07-20T13:06:25.4257476Z }
API Request sent from Terraform - Note that the okta_password section is not sent: 2022-07-20T13:06:26.1719458Z ---[ REQUEST ]--------------------------------------- 2022-07-20T13:06:26.1719865Z POST /api/v1/policies HTTP/1.1 2022-07-20T13:06:26.1720372Z Host: wealth-accp2-ia.oktapreview.com 2022-07-20T13:06:26.1721030Z User-Agent: okta-sdk-golang/2.13.1 golang/go1.17.11 linux/amd64 okta-terraform/3.31.0 2022-07-20T13:06:26.1721591Z Content-Length: 493 2022-07-20T13:06:26.1721941Z Accept: application/json 2022-07-20T13:06:26.1722389Z Authorization: SSWS *** 2022-07-20T13:06:26.1722866Z Content-Type: application/json 2022-07-20T13:06:26.1723332Z Accept-Encoding: gzip 2022-07-20T13:06:26.1723498Z 2022-07-20T13:06:26.1723752Z { 2022-07-20T13:06:26.1724029Z "conditions": { 2022-07-20T13:06:26.1724327Z "people": { 2022-07-20T13:06:26.1724611Z "groups": { 2022-07-20T13:06:26.1724901Z "include": [ 2022-07-20T13:06:26.1725219Z "00g440z8rlIGtuUnS1d7" 2022-07-20T13:06:26.1725520Z ] 2022-07-20T13:06:26.1725774Z } 2022-07-20T13:06:26.1726027Z } 2022-07-20T13:06:26.1726280Z }, 2022-07-20T13:06:26.1726833Z "description": "Politique d'enrollement MFA pour les clients Extranet-iA.", 2022-07-20T13:06:26.1727266Z "name": "enr.clients.mfa", 2022-07-20T13:06:26.1727586Z "priority": 1, 2022-07-20T13:06:26.1727895Z "status": "ACTIVE", 2022-07-20T13:06:26.1728220Z "type": "MFA_ENROLL", 2022-07-20T13:06:26.1728530Z "settings": { 2022-07-20T13:06:26.1728835Z "authenticators": [ 2022-07-20T13:06:26.1729127Z { 2022-07-20T13:06:26.1729416Z "key": "okta_email", 2022-07-20T13:06:26.1729726Z "enroll": { 2022-07-20T13:06:26.1730032Z "self": "REQUIRED" 2022-07-20T13:06:26.1730336Z } 2022-07-20T13:06:26.1730595Z }, 2022-07-20T13:06:26.1730853Z { 2022-07-20T13:06:26.1731142Z "key": "okta_verify", 2022-07-20T13:06:26.1731447Z "enroll": { 2022-07-20T13:06:26.1731748Z "self": "OPTIONAL" 2022-07-20T13:06:26.1732034Z } 2022-07-20T13:06:26.1732292Z }, 2022-07-20T13:06:26.1732545Z { 2022-07-20T13:06:26.1732833Z "key": "phone_number", 2022-07-20T13:06:26.1733139Z "enroll": { 2022-07-20T13:06:26.1733438Z "self": "OPTIONAL" 2022-07-20T13:06:26.1733721Z } 2022-07-20T13:06:26.1733975Z }, 2022-07-20T13:06:26.1734229Z { 2022-07-20T13:06:26.1734525Z "key": "security_question", 2022-07-20T13:06:26.1734846Z "enroll": { 2022-07-20T13:06:26.1735152Z "self": "NOT_ALLOWED" 2022-07-20T13:06:26.1735445Z } 2022-07-20T13:06:26.1735698Z } 2022-07-20T13:06:26.1736078Z ], 2022-07-20T13:06:26.1736374Z "type": "AUTHENTICATORS" 2022-07-20T13:06:26.1736672Z } 2022-07-20T13:06:26.1736936Z } 2022-07-20T13:06:26.1737043Z 2022-07-20T13:06:26.1737684Z -----------------------------------------------------: timestamp=2022-07-20T13:06:26.136Z 2022-07-20T13:06:26.2431405Z 2022-07-20T13:06:26.241Z [INFO] provider.terraform-provider-okta_v3.31.0: 2022/07/20 13:06:26 [DEBUG] Okta API Response Details: 2022-07-20T13:06:26.2432688Z ---[ RESPONSE ]-------------------------------------- 2022-07-20T13:06:26.2433372Z HTTP/2.0 200 OK
The function that removes the okta_password section: func syncAuthenticator(d *schema.ResourceData, k string, authenticators []*sdk.PolicyAuthenticator) { for _, authenticator := range authenticators { if authenticator.Key == k { // Skip OktaPassword as this should never be returned for MFA policies using authenticator. // Enrollment policy changes for OIE for password // https://help.okta.com/okta_help.htm?type=oie&id=ext-about-mfa-enrol-policies if k != sdk.OktaPasswordFactor { _ = d.Set(k, map[string]interface{}{ "enroll": authenticator.Enroll.Self, }) } return } } }
Watching this for updates! Looks like the previous comment noted the explicit issue but just noting that we're on 3.31.0 with the bug that's referenced - run into the same API error regardless of whether the password authenticator is required or not
a workaround for this issue on OIE is to use the non-OIE configuration for this resource
i.e. set
is_oie = false
for Okta Verify use
okta_push = {
enroll = "NOT_ALLOWED"
}
okta_otp = {
enroll = "NOT_ALLOWED"
}
for Phone use
okta_call = {
enroll = "NOT_ALLOWED"
}
okta_sms = {
enroll = "REQUIRED"
}
for FIDO use
fido_webauthn = {
enroll = "NOT_ALLOWED"
}
@nicholasconnelly - Interesting... I've attempted to create a classic policy in one of my OIE preview tenants and still ran into the same issue with the following configuration:
resource "okta_policy_mfa" "require_fido2" {
name = "WebAuthn Only"
status = "ACTIVE"
description = "Require FIDO2 (Yubikey)"
is_oie = false
okta_otp = {
enroll = "NOT_ALLOWED"
}
okta_push = {
enroll = "NOT_ALLOWED"
}
google_otp = {
enroll = "NOT_ALLOWED"
}
fido_webauthn = {
enroll = "REQUIRED"
}
yubikey_token = {
enroll = "NOT_ALLOWED"
}
}
And on execution:
okta_policy_mfa.require_fido2: Creating...
╷
│ Error: failed to create MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: settings.factors: Factor specified in the policy settings is not configured., errorSummary: At least one of Password or Email authenticator must be set to required.
@Mrorya you need to include the password resource or email resource as required e.g.
okta_password = {
enroll = "REQUIRED"
}
Does anyone have any update on this?
Spoke to Okta support to get the flags changed and it seems like a major infrastructure change that needs a business case and a lot of work.
I have been testing this with a few people and on 1 OIE tenant and it seems that the behaviour between setting the is_oie = true or false is very inconsistent and on either settings, some of the apply fails or if it applies, the definition of the tf resource isn't being followed.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is not resolved and should still be addressed - commenting to remove stale label
@BalaGanaparthi I verified #1427 / #1210 resolves this for your example with the caveat that the API expects At least one of Password or Email authenticator must be set to required.. So this config now passes on an OIE org:
https://github.com/okta/terraform-provider-okta/pull/1427/files#diff-757a72557e85b9bcd0f4582b30f9dc57bc74736f706f2304aafb4a6f00302b94R107-R161
data "okta_group" "all" {
name = "Everyone"
}
resource "okta_policy_mfa" "test" {
name = "testAcc_replace_with_uuid"
status = "ACTIVE"
description = "Terraform Acceptance Test MFA Policy"
is_oie = true
okta_otp = {
enroll = "OPTIONAL"
}
phone_number = {
enroll = "OPTIONAL"
}
okta_password = {
enroll = "REQUIRED"
}
okta_email = {
enroll = "OPTIONAL"
}
groups_included = [data.okta_group.all.id]
}
@monde
Is there a timeline for the #1427 and #1210 fixes? I assume they'll be added into the next release in mid-February?
Also, just noting that these fixes should apply to okta_mfa_policy as well as okta_mfa_policy_default.
Thanks!
Hi @ClintonianSunBlaster I try to do releases on Fridays when I have a good set of PRs merged. So it looks like a Friday release to me.
Thanks for keeping us updated @monde - we really appreciate it. This particular problem has been a right pain!
Hi @ClintonianSunBlaster I try to do releases on Fridays when I have a good set of PRs merged. So it looks like a Friday release to me.
Thanks a ton Mike! Much appreciated!
Hello @monde,
I'm experiencing the exact same issue with both the okta_policy_mfa resource as well as the okta_policy_mfa_default resource
resource "okta_policy_mfa_default" "Default_enrollment_rule" {
is_oie = true
okta_password = {
enroll = "REQUIRED"
}
okta_verify = {
enroll = "OPTIONAL"
}
webauthn = {
enroll = "REQUIRED"
}
}
Results in
Error: failed to update default MFA policy: the API returned an error: Api validation failed: mediationPolicy. Causes: errorSummary: Password authenticator for default mfa enrollment policy must be required
Is there a status on the issue being resolved?
Opening this one back up. I thought we addressed default policy in the changes for the v3.41.0 release but that doesn't look to be the case https://github.com/okta/terraform-provider-okta/releases/tag/v3.41.0
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days