okta · monde · Mar 7, 2023 · Mar 4, 2023 · Mar 7, 2023 · Mar 7, 2023
diff --git a/examples/okta_policy_password/basic.tf b/examples/okta_policy_password/basic.tf
@@ -6,6 +6,6 @@ resource "okta_policy_password" "test" {
   name                   = "testAcc_replace_with_uuid"
   status                 = "ACTIVE"
   description            = "Terraform Acceptance Test Password Policy"
-  password_history_count = 4
+  password_history_count = 5
   groups_included        = [data.okta_group.all.id]
 }
diff --git a/examples/okta_policy_password/basic_updated.tf b/examples/okta_policy_password/basic_updated.tf
@@ -17,14 +17,14 @@ resource "okta_policy_password" "test" {
   password_max_age_days                  = 60
   password_expire_warn_days              = 15
   password_min_age_minutes               = 60
-  password_history_count                 = 5
+  password_history_count                 = 0
   password_max_lockout_attempts          = 10
   password_auto_unlock_minutes           = 2
   password_show_lockout_failures         = true
   password_lockout_notification_channels = ["EMAIL"]
   question_min_length                    = 10
   recovery_email_token                   = 20160
   sms_recovery                           = "ACTIVE"
-  call_recovery                          = "ACTIVE"
+  #call_recovery                          = "ACTIVE"
   groups_included                        = [data.okta_group.all.id]
 }
diff --git a/examples/okta_policy_password_default/basic.tf b/examples/okta_policy_password_default/basic.tf
@@ -1,3 +1,4 @@
 resource "okta_policy_password_default" "test" {
   sms_recovery = "ACTIVE"
+	password_history_count = 5
 }
diff --git a/examples/okta_policy_password_default/basic_updated.tf b/examples/okta_policy_password_default/basic_updated.tf
@@ -1,3 +1,4 @@
 resource "okta_policy_password_default" "test" {
   sms_recovery = "INACTIVE"
+	password_history_count = 0
 }
diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-hclog v1.4.0
 	github.com/hashicorp/go-retryablehttp v0.7.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.25.0
-	github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6
+	github.com/okta/okta-sdk-golang/v2 v2.17.0
 	github.com/stretchr/testify v1.8.1
 )
 

diff --git a/go.sum b/go.sum
@@ -209,6 +209,8 @@ github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7 h1:NpPP
 github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6 h1:4QDfpHc9H0UG4XOVy3JISbHPXAu+3Gpkjo1NtQNdw0s=
 github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
+github.com/okta/okta-sdk-golang/v2 v2.17.0 h1:awY6FyunU4bA90KsQ4ygCJm2qunZTkjZKAq4DbphwSQ=
+github.com/okta/okta-sdk-golang/v2 v2.17.0/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627 h1:pSCLCl6joCFRnjpeojzOpEYs4q7Vditq8fySFG5ap3Y=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

diff --git a/okta/config.go b/okta/config.go
@@ -91,20 +91,34 @@ func providerLogger(c *Config) hclog.Logger {
 
 func oktaSDKClient(c *Config) (client *okta.Client, err error) {
 	var httpClient *http.Client
+	logLevel := strings.ToLower(os.Getenv("TF_LOG"))
+	debugHttpRequests := (logLevel == "1" || logLevel == "debug" || logLevel == "trace")
 	if c.backoff {
 		retryableClient := retryablehttp.NewClient()
 		retryableClient.RetryWaitMin = time.Second * time.Duration(c.minWait)
 		retryableClient.RetryWaitMax = time.Second * time.Duration(c.maxWait)
 		retryableClient.RetryMax = c.retryCount
 		retryableClient.Logger = c.logger
-		retryableClient.HTTPClient.Transport = logging.NewSubsystemLoggingHTTPTransport("Okta", retryableClient.HTTPClient.Transport)
+		if debugHttpRequests {
+			// Needed for pretty printing http protocol in a local developer environment, ignore deprecation warnings.
+			//lint:ignore SA1019 used in developer mode only
+			retryableClient.HTTPClient.Transport = logging.NewTransport("Okta", retryableClient.HTTPClient.Transport)
+		} else {
+			retryableClient.HTTPClient.Transport = logging.NewSubsystemLoggingHTTPTransport("Okta", retryableClient.HTTPClient.Transport)
+		}
 		retryableClient.ErrorHandler = errHandler
 		retryableClient.CheckRetry = checkRetry
 		httpClient = retryableClient.StandardClient()
 		c.logger.Info(fmt.Sprintf("running with backoff http client, wait min %d, wait max %d, retry max %d", retryableClient.RetryWaitMin, retryableClient.RetryWaitMax, retryableClient.RetryMax))
 	} else {
 		httpClient = cleanhttp.DefaultClient()
-		httpClient.Transport = logging.NewSubsystemLoggingHTTPTransport("Okta", httpClient.Transport)
+		if debugHttpRequests {
+			// Needed for pretty printing http protocol in a local developer environment, ignore deprecation warnings.
+			//lint:ignore SA1019 used in developer mode only
+			httpClient.Transport = logging.NewTransport("Okta", httpClient.Transport)
+		} else {
+			httpClient.Transport = logging.NewSubsystemLoggingHTTPTransport("Okta", httpClient.Transport)
+		}
 		c.logger.Info("running with default http client")
 	}
 

diff --git a/okta/provider.go b/okta/provider.go
@@ -510,3 +510,8 @@ func datasourceOIEOnlyFeatureError(name string) diag.Diagnostics {
 func resourceFuncNoOp(context.Context, *schema.ResourceData, interface{}) diag.Diagnostics {
 	return nil
 }
+
+func int64Ptr(what int) *int64 {
+	result := int64(what)
+	return &result
+}
diff --git a/okta/resource_okta_policy_password.go b/okta/resource_okta_policy_password.go
@@ -209,24 +209,24 @@ func resourcePolicyPasswordRead(ctx context.Context, d *schema.ResourceData, m i
 		if err != nil {
 			return diag.Errorf("error setting notification channels for resource %s: %v", d.Id(), err)
 		}
-		_ = d.Set("password_min_length", policy.Settings.Password.Complexity.MinLength)
-		_ = d.Set("password_min_lowercase", policy.Settings.Password.Complexity.MinLowerCase)
-		_ = d.Set("password_min_uppercase", policy.Settings.Password.Complexity.MinUpperCase)
-		_ = d.Set("password_min_number", policy.Settings.Password.Complexity.MinNumber)
-		_ = d.Set("password_min_symbol", policy.Settings.Password.Complexity.MinSymbol)
+		_ = d.Set("password_min_length", *policy.Settings.Password.Complexity.MinLengthPtr)
+		_ = d.Set("password_min_lowercase", *policy.Settings.Password.Complexity.MinLowerCasePtr)
+		_ = d.Set("password_min_uppercase", *policy.Settings.Password.Complexity.MinUpperCasePtr)
+		_ = d.Set("password_min_number", *policy.Settings.Password.Complexity.MinNumberPtr)
+		_ = d.Set("password_min_symbol", *policy.Settings.Password.Complexity.MinSymbolPtr)
 		_ = d.Set("password_exclude_username", policy.Settings.Password.Complexity.ExcludeUsername)
 		if policy.Settings.Password.Complexity.Dictionary != nil && policy.Settings.Password.Complexity.Dictionary.Common != nil {
 			_ = d.Set("password_dictionary_lookup", policy.Settings.Password.Complexity.Dictionary.Common.Exclude)
 		}
-		_ = d.Set("password_max_age_days", policy.Settings.Password.Age.MaxAgeDays)
-		_ = d.Set("password_expire_warn_days", policy.Settings.Password.Age.ExpireWarnDays)
-		_ = d.Set("password_min_age_minutes", policy.Settings.Password.Age.MinAgeMinutes)
-		_ = d.Set("password_history_count", policy.Settings.Password.Age.HistoryCount)
-		_ = d.Set("password_max_lockout_attempts", policy.Settings.Password.Lockout.MaxAttempts)
-		_ = d.Set("password_auto_unlock_minutes", policy.Settings.Password.Lockout.AutoUnlockMinutes)
+		_ = d.Set("password_max_age_days", *policy.Settings.Password.Age.MaxAgeDaysPtr)
+		_ = d.Set("password_expire_warn_days", *policy.Settings.Password.Age.ExpireWarnDaysPtr)
+		_ = d.Set("password_min_age_minutes", *policy.Settings.Password.Age.MinAgeMinutesPtr)
+		_ = d.Set("password_history_count", *policy.Settings.Password.Age.HistoryCountPtr)
+		_ = d.Set("password_max_lockout_attempts", *policy.Settings.Password.Lockout.MaxAttemptsPtr)
+		_ = d.Set("password_auto_unlock_minutes", *policy.Settings.Password.Lockout.AutoUnlockMinutesPtr)
 		_ = d.Set("password_show_lockout_failures", policy.Settings.Password.Lockout.ShowLockoutFailures)
-		_ = d.Set("question_min_length", policy.Settings.Recovery.Factors.RecoveryQuestion.Properties.Complexity.MinLength)
-		_ = d.Set("recovery_email_token", policy.Settings.Recovery.Factors.OktaEmail.Properties.RecoveryToken.TokenLifetimeMinutes)
+		_ = d.Set("question_min_length", *policy.Settings.Recovery.Factors.RecoveryQuestion.Properties.Complexity.MinLengthPtr)
+		_ = d.Set("recovery_email_token", *policy.Settings.Recovery.Factors.OktaEmail.Properties.RecoveryToken.TokenLifetimeMinutesPtr)
 		_ = d.Set("sms_recovery", policy.Settings.Recovery.Factors.OktaSms.Status)
 		_ = d.Set("email_recovery", policy.Settings.Recovery.Factors.OktaEmail.Status)
 		_ = d.Set("question_recovery", policy.Settings.Recovery.Factors.RecoveryQuestion.Status)
@@ -278,7 +278,7 @@ func buildPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 		template.Description = description.(string)
 	}
 	if priority, ok := d.GetOk("priority"); ok {
-		template.Priority = int64(priority.(int))
+		template.PriorityPtr = int64Ptr(priority.(int))
 	}
 	template.Conditions = &okta.PolicyRuleConditions{
 		AuthProvider: &okta.PasswordPolicyAuthenticationProviderCondition{
@@ -291,10 +291,10 @@ func buildPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 	template.Settings = &sdk.PolicySettings{
 		Password: &okta.PasswordPolicyPasswordSettings{
 			Age: &okta.PasswordPolicyPasswordSettingsAge{
-				ExpireWarnDays: int64(d.Get("password_expire_warn_days").(int)),
-				HistoryCount:   int64(d.Get("password_history_count").(int)),
-				MaxAgeDays:     int64(d.Get("password_max_age_days").(int)),
-				MinAgeMinutes:  int64(d.Get("password_min_age_minutes").(int)),
+				ExpireWarnDaysPtr: int64Ptr(d.Get("password_expire_warn_days").(int)),
+				HistoryCountPtr:   int64Ptr(d.Get("password_history_count").(int)),
+				MaxAgeDaysPtr:     int64Ptr(d.Get("password_max_age_days").(int)),
+				MinAgeMinutesPtr:  int64Ptr(d.Get("password_min_age_minutes").(int)),
 			},
 			Complexity: &okta.PasswordPolicyPasswordSettingsComplexity{
 				Dictionary: &okta.PasswordDictionary{
@@ -304,15 +304,15 @@ func buildPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 				},
 				ExcludeAttributes: getExcludedAttrs(d.Get("password_exclude_first_name").(bool), d.Get("password_exclude_last_name").(bool)),
 				ExcludeUsername:   boolPtr(d.Get("password_exclude_username").(bool)),
-				MinLength:         int64(d.Get("password_min_length").(int)),
-				MinLowerCase:      int64(d.Get("password_min_lowercase").(int)),
-				MinNumber:         int64(d.Get("password_min_number").(int)),
-				MinSymbol:         int64(d.Get("password_min_symbol").(int)),
-				MinUpperCase:      int64(d.Get("password_min_uppercase").(int)),
+				MinLengthPtr:      int64Ptr(d.Get("password_min_length").(int)),
+				MinLowerCasePtr:   int64Ptr(d.Get("password_min_lowercase").(int)),
+				MinNumberPtr:      int64Ptr(d.Get("password_min_number").(int)),
+				MinSymbolPtr:      int64Ptr(d.Get("password_min_symbol").(int)),
+				MinUpperCasePtr:   int64Ptr(d.Get("password_min_uppercase").(int)),
 			},
 			Lockout: &okta.PasswordPolicyPasswordSettingsLockout{
-				AutoUnlockMinutes:               int64(d.Get("password_auto_unlock_minutes").(int)),
-				MaxAttempts:                     int64(d.Get("password_max_lockout_attempts").(int)),
+				AutoUnlockMinutesPtr:            int64Ptr(d.Get("password_auto_unlock_minutes").(int)),
+				MaxAttemptsPtr:                  int64Ptr(d.Get("password_max_lockout_attempts").(int)),
 				ShowLockoutFailures:             boolPtr(d.Get("password_show_lockout_failures").(bool)),
 				UserLockoutNotificationChannels: convertInterfaceToStringSet(d.Get("password_lockout_notification_channels")),
 			},
@@ -328,15 +328,15 @@ func buildPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 				OktaEmail: &okta.PasswordPolicyRecoveryEmail{
 					Properties: &okta.PasswordPolicyRecoveryEmailProperties{
 						RecoveryToken: &okta.PasswordPolicyRecoveryEmailRecoveryToken{
-							TokenLifetimeMinutes: int64(d.Get("recovery_email_token").(int)),
+							TokenLifetimeMinutesPtr: int64Ptr(d.Get("recovery_email_token").(int)),
 						},
 					},
 					Status: d.Get("email_recovery").(string),
 				},
 				RecoveryQuestion: &okta.PasswordPolicyRecoveryQuestion{
 					Properties: &okta.PasswordPolicyRecoveryQuestionProperties{
 						Complexity: &okta.PasswordPolicyRecoveryQuestionComplexity{
-							MinLength: int64(d.Get("question_min_length").(int)),
+							MinLengthPtr: int64Ptr(d.Get("question_min_length").(int)),
 						},
 					},
 					Status: d.Get("question_recovery").(string),

diff --git a/okta/resource_okta_policy_password_default.go b/okta/resource_okta_policy_password_default.go
@@ -219,21 +219,21 @@ func resourcePolicyPasswordDefaultRead(ctx context.Context, d *schema.ResourceDa
 	if policy.Settings.Password.Complexity.Dictionary != nil && policy.Settings.Password.Complexity.Dictionary.Common != nil {
 		_ = d.Set("password_dictionary_lookup", policy.Settings.Password.Complexity.Dictionary.Common.Exclude)
 	}
-	_ = d.Set("password_min_length", policy.Settings.Password.Complexity.MinLength)
-	_ = d.Set("password_min_lowercase", policy.Settings.Password.Complexity.MinLowerCase)
-	_ = d.Set("password_min_uppercase", policy.Settings.Password.Complexity.MinUpperCase)
-	_ = d.Set("password_min_number", policy.Settings.Password.Complexity.MinNumber)
-	_ = d.Set("password_min_symbol", policy.Settings.Password.Complexity.MinSymbol)
+	_ = d.Set("password_min_length", *policy.Settings.Password.Complexity.MinLengthPtr)
+	_ = d.Set("password_min_lowercase", *policy.Settings.Password.Complexity.MinLowerCasePtr)
+	_ = d.Set("password_min_uppercase", *policy.Settings.Password.Complexity.MinUpperCasePtr)
+	_ = d.Set("password_min_number", *policy.Settings.Password.Complexity.MinNumberPtr)
+	_ = d.Set("password_min_symbol", *policy.Settings.Password.Complexity.MinSymbolPtr)
 	_ = d.Set("password_exclude_username", policy.Settings.Password.Complexity.ExcludeUsername)
-	_ = d.Set("password_max_age_days", policy.Settings.Password.Age.MaxAgeDays)
-	_ = d.Set("password_expire_warn_days", policy.Settings.Password.Age.ExpireWarnDays)
-	_ = d.Set("password_min_age_minutes", policy.Settings.Password.Age.MinAgeMinutes)
-	_ = d.Set("password_history_count", policy.Settings.Password.Age.HistoryCount)
-	_ = d.Set("password_max_lockout_attempts", policy.Settings.Password.Lockout.MaxAttempts)
-	_ = d.Set("password_auto_unlock_minutes", policy.Settings.Password.Lockout.AutoUnlockMinutes)
+	_ = d.Set("password_max_age_days", *policy.Settings.Password.Age.MaxAgeDaysPtr)
+	_ = d.Set("password_expire_warn_days", *policy.Settings.Password.Age.ExpireWarnDaysPtr)
+	_ = d.Set("password_min_age_minutes", *policy.Settings.Password.Age.MinAgeMinutesPtr)
+	_ = d.Set("password_history_count", *policy.Settings.Password.Age.HistoryCountPtr)
+	_ = d.Set("password_max_lockout_attempts", *policy.Settings.Password.Lockout.MaxAttemptsPtr)
+	_ = d.Set("password_auto_unlock_minutes", *policy.Settings.Password.Lockout.AutoUnlockMinutesPtr)
 	_ = d.Set("password_show_lockout_failures", policy.Settings.Password.Lockout.ShowLockoutFailures)
-	_ = d.Set("question_min_length", policy.Settings.Recovery.Factors.RecoveryQuestion.Properties.Complexity.MinLength)
-	_ = d.Set("recovery_email_token", policy.Settings.Recovery.Factors.OktaEmail.Properties.RecoveryToken.TokenLifetimeMinutes)
+	_ = d.Set("question_min_length", *policy.Settings.Recovery.Factors.RecoveryQuestion.Properties.Complexity.MinLengthPtr)
+	_ = d.Set("recovery_email_token", *policy.Settings.Recovery.Factors.OktaEmail.Properties.RecoveryToken.TokenLifetimeMinutesPtr)
 	_ = d.Set("sms_recovery", policy.Settings.Recovery.Factors.OktaSms.Status)
 	_ = d.Set("email_recovery", policy.Settings.Recovery.Factors.OktaEmail.Status)
 	_ = d.Set("question_recovery", policy.Settings.Recovery.Factors.RecoveryQuestion.Status)
@@ -256,7 +256,7 @@ func buildDefaultPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 	policy.Name = d.Get("name").(string)
 	policy.Status = d.Get("status").(string)
 	policy.Description = d.Get("description").(string)
-	policy.Priority = int64(d.Get("priority").(int))
+	policy.PriorityPtr = int64Ptr(d.Get("priority").(int))
 	policy.Conditions = &okta.PolicyRuleConditions{
 		AuthProvider: &okta.PasswordPolicyAuthenticationProviderCondition{
 			Provider: d.Get("default_auth_provider").(string),
@@ -272,10 +272,10 @@ func buildDefaultPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 	policy.Settings = &sdk.PolicySettings{
 		Password: &okta.PasswordPolicyPasswordSettings{
 			Age: &okta.PasswordPolicyPasswordSettingsAge{
-				ExpireWarnDays: int64(d.Get("password_expire_warn_days").(int)),
-				HistoryCount:   int64(d.Get("password_history_count").(int)),
-				MaxAgeDays:     int64(d.Get("password_max_age_days").(int)),
-				MinAgeMinutes:  int64(d.Get("password_min_age_minutes").(int)),
+				ExpireWarnDaysPtr: int64Ptr(d.Get("password_expire_warn_days").(int)),
+				HistoryCountPtr:   int64Ptr(d.Get("password_history_count").(int)),
+				MaxAgeDaysPtr:     int64Ptr(d.Get("password_max_age_days").(int)),
+				MinAgeMinutesPtr:  int64Ptr(d.Get("password_min_age_minutes").(int)),
 			},
 			Complexity: &okta.PasswordPolicyPasswordSettingsComplexity{
 				Dictionary: &okta.PasswordDictionary{
@@ -285,15 +285,15 @@ func buildDefaultPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 				},
 				ExcludeAttributes: getExcludedAttrs(d.Get("password_exclude_first_name").(bool), d.Get("password_exclude_last_name").(bool)),
 				ExcludeUsername:   boolPtr(d.Get("password_exclude_username").(bool)),
-				MinLength:         int64(d.Get("password_min_length").(int)),
-				MinLowerCase:      int64(d.Get("password_min_lowercase").(int)),
-				MinNumber:         int64(d.Get("password_min_number").(int)),
-				MinSymbol:         int64(d.Get("password_min_symbol").(int)),
-				MinUpperCase:      int64(d.Get("password_min_uppercase").(int)),
+				MinLengthPtr:      int64Ptr(d.Get("password_min_length").(int)),
+				MinLowerCasePtr:   int64Ptr(d.Get("password_min_lowercase").(int)),
+				MinNumberPtr:      int64Ptr(d.Get("password_min_number").(int)),
+				MinSymbolPtr:      int64Ptr(d.Get("password_min_symbol").(int)),
+				MinUpperCasePtr:   int64Ptr(d.Get("password_min_uppercase").(int)),
 			},
 			Lockout: &okta.PasswordPolicyPasswordSettingsLockout{
-				AutoUnlockMinutes:               int64(d.Get("password_auto_unlock_minutes").(int)),
-				MaxAttempts:                     int64(d.Get("password_max_lockout_attempts").(int)),
+				AutoUnlockMinutesPtr:            int64Ptr(d.Get("password_auto_unlock_minutes").(int)),
+				MaxAttemptsPtr:                  int64Ptr(d.Get("password_max_lockout_attempts").(int)),
 				ShowLockoutFailures:             boolPtr(d.Get("password_show_lockout_failures").(bool)),
 				UserLockoutNotificationChannels: convertInterfaceToStringSet(d.Get("password_lockout_notification_channels")),
 			},
@@ -309,15 +309,15 @@ func buildDefaultPasswordPolicy(d *schema.ResourceData) sdk.Policy {
 				OktaEmail: &okta.PasswordPolicyRecoveryEmail{
 					Properties: &okta.PasswordPolicyRecoveryEmailProperties{
 						RecoveryToken: &okta.PasswordPolicyRecoveryEmailRecoveryToken{
-							TokenLifetimeMinutes: int64(d.Get("recovery_email_token").(int)),
+							TokenLifetimeMinutesPtr: int64Ptr(d.Get("recovery_email_token").(int)),
 						},
 					},
 					Status: d.Get("email_recovery").(string),
 				},
 				RecoveryQuestion: &okta.PasswordPolicyRecoveryQuestion{
 					Properties: &okta.PasswordPolicyRecoveryQuestionProperties{
 						Complexity: &okta.PasswordPolicyRecoveryQuestionComplexity{
-							MinLength: int64(d.Get("question_min_length").(int)),
+							MinLengthPtr: int64Ptr(d.Get("question_min_length").(int)),
 						},
 					},
 					Status: d.Get("question_recovery").(string),