terraform-provider-okta
terraform-provider-okta copied to clipboard
Published
20 hours ago •
okta
okta
Unable to manage third-party device assurance policies for Windows/Mac
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
1.4.6
Affected Resource(s)
- okta_policy_device_assurance_windows
- okta_policy_device_assurance_macos
Terraform Configuration Files
resource "okta_policy_device_assurance_macos" "macos_chrome" {
name = "MACOS-CHROME"
tpsp_device_enrollment_domain = "test.xyz"
tpsp_os_version = "13.0.0"
tpsp_disk_encrypted = true
tpsp_screen_lock_secured = true
}
resource "okta_policy_device_assurance_windows" "windows_chrome" {
name = "WINDOWS-CHROME"
tpsp_device_enrollment_domain = "test.xyz"
tpsp_os_version = "10.0.19045.0"
tpsp_disk_encrypted = true
tpsp_screen_lock_secured = true
}
Debug Output
Panic Output
Expected Behavior
Two Device Assurance Policies are created that use the Chrome Device Trust integration to check device posture.
Can this be done in the Admin UI?
Yes
Can this be done in the actual API call?
Yes
Actual Behavior
Input validation in the resources rejects both, noting that Verify-specific attributes are required:
Error: Invalid Attribute Combination
│
│ with module.main.module.okta_org_settings.okta_policy_device_assurance_macos.macos_chrome,
│ on config.tf line N, in resource "okta_policy_device_assurance_macos" "macos_chrome":
│ N: resource "okta_policy_device_assurance_windows" "windows_chrome" {
│
│ At least one attribute out of [os_version,secure_hardware_present,screenlock_type] must be specified
Error: Invalid Attribute Combination
│
│ with module.main.module.okta_org_settings.okta_policy_device_assurance_windows.windows_chrome,
│ on config.tf line N, in resource "okta_policy_device_assurance_windows" "windows_chrome":
│ N: resource "okta_policy_device_assurance_windows" "windows_chrome" {
│
│ At least one attribute out of [os_version,secure_hardware_present,screenlock_type] must be specified
Specifying one of those attributes creates a policy that uses Okta Verify rather than the third-party provider.
As a temporary workaround, we specified added os_version, applied, then manually fixed the policy in the admin console. The provider doesn't see the fixed policy as requiring an update.
Steps to Reproduce
- Run a
terraform applywith the above configuration - Observe that the above error is encountered, preventing the creation of a third-party device assurance policy.
Important Factoids
- This only seems to impact the MacOS and Windows policy resources. We successfully created a ChromeOS policy that uses the Chrome Device Trust integration via Terraform.
- As noted, adding one of the attributes required by the provider's validation and then manually fixing the resulting policy works around the issue but creates a fragile resource.
- Tested with the latest provider (4.4.3)
References
OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-658712
