Merge pull request #1982 from okta/fix_custom_otp_authenticator

fix_custom_otp authenticator suppress name
okta · Apr 23, 2024 · 20f41a8 · 20f41a8
2 parents fcf72cc + 93a91e2
commit 20f41a8
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 8 deletions.
diff --git a/examples/resources/okta_authenticator/resource.tf b/examples/resources/okta_authenticator/resource.tf
@@ -7,3 +7,19 @@ resource "okta_authenticator" "test" {
     }
   )
 }
+
+resource "okta_authenticator" "otp" {
+  name   = "Custom OTP"
+  key    = "custom_otp"
+  status = "ACTIVE"
+  settings = jsonencode({
+    "protocol" : "TOTP",
+    "acceptableAdjacentIntervals" : 3,
+    "timeIntervalInSeconds" : 30,
+    "encoding" : "base32",
+    "algorithm" : "HMacSHA256",
+    "passCodeLength" : 6
+  })
+  // required to be false for custom_otp
+  legacy_ignore_name = false
+}
diff --git a/okta/resource_okta_authenticator.go b/okta/resource_okta_authenticator.go
@@ -34,6 +34,8 @@ multiple custom_otp authenticator. To create new custom_otp authenticator, a new
 name and key = custom_otp is required. If an old name is used, it will simply 
 reactivate the old custom_otp authenticator
 
+-> **Update:** custom_otp authenticator cannot be updated
+
 -> **Delete:** Authenticators can not be truly deleted therefore delete is soft.
 Delete will attempt to deativate the authenticator. An authenticator can only be
 deactivated if it's not in use by any other policy.`,
@@ -49,7 +51,7 @@ deactivated if it's not in use by any other policy.`,
 				Required:    true,
 				Description: "Display name of the Authenticator",
 				DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
-					return true
+					return d.Get("legacy_ignore_name").(bool)
 				},
 			},
 			"settings": {
@@ -157,6 +159,12 @@ deactivated if it's not in use by any other policy.`,
 				Computed:    true,
 				Description: "Provider type. Supported value for Duo: `DUO`. Supported value for Custom App: `PUSH`",
 			},
+			"legacy_ignore_name": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     true,
+				Description: "Name does not trigger change detection (legacy behavior)",
+			},
 		},
 	}
 }
@@ -358,13 +366,17 @@ func buildOTP(d *schema.ResourceData) (*sdk.OTP, error) {
 func validateAuthenticator(d *schema.ResourceData) error {
 	typ := d.Get("type").(string)
 	if typ == "security_key" {
-		h := d.Get("provider_hostname").(string)
-		_, pok := d.GetOk("provider_auth_port")
-		s := d.Get("provider_shared_secret").(string)
-		templ := d.Get("provider_user_name_template").(string)
-		if h == "" || s == "" || templ == "" || !pok {
-			return fmt.Errorf("for authenticator type '%s' fields 'provider_hostname', "+
-				"'provider_auth_port', 'provider_shared_secret' and 'provider_user_name_template' are required", typ)
+		if d.Get("key").(string) != "custom_otp" {
+			h := d.Get("provider_hostname").(string)
+			_, pok := d.GetOk("provider_auth_port")
+			s := d.Get("provider_shared_secret").(string)
+			templ := d.Get("provider_user_name_template").(string)
+			if h == "" || s == "" || templ == "" || !pok {
+				return fmt.Errorf("for authenticator type '%s' fields 'provider_hostname', "+
+					"'provider_auth_port', 'provider_shared_secret' and 'provider_user_name_template' are required", typ)
+			}
+		} else {
+			return fmt.Errorf("custom_otp is not updatable")
 		}
 	}
 

diff --git a/okta/resource_okta_authenticator_test.go b/okta/resource_okta_authenticator_test.go
@@ -21,6 +21,7 @@ func TestAccResourceOktaAuthenticatorOTP(t *testing.T) {
 		  "algorithm" : "HMacSHA256",
 		  "passCodeLength" : 6
 		})
+		legacy_ignore_name = false
 	}`
 	resourceName := fmt.Sprintf("%s.otp", authenticator)