okta AUTH_METHOD_CHAIN API had breaked the okta terraform provider for AUTH_METHOD_CHAIN

[hixichen]

Okta AUTH_METHOD_CHAIN API Breaking Change Affecting Terraform Provider

Environment

• Terraform version: 1.9.5
• Okta Terraform provider version: 4.10.0
• Platform: darwin_arm64

Issue Description

The recent update to the Okta AUTH_METHOD_CHAIN API (as described in the 2024 Okta Identity Engine release notes) has introduced a breaking change that affects the Okta Terraform provider's handling of AUTH_METHOD_CHAIN.

Current Behavior

The Okta Terraform provider is not correctly handling the new API structure for AUTH_METHOD_CHAIN, leading to potential misconfigurations or errors when managing Okta resources through Terraform.

Expected Behavior

The Okta Terraform provider should be updated to support the new API structure for AUTH_METHOD_CHAIN, specifically the actions.appSignOn.verificationMethod.chains field.

API Change Details

The Okta API now expects the AUTH_METHOD_CHAIN configuration to be structured as follows:

{
  "actions": {
    "appSignOn": {
      "access": "ALLOW",
      "verificationMethod": {
        "chains": [
          // Chain configuration here
        ],
        "type": "AUTH_METHOD_CHAIN"
      }
    }
  }
}

However, the current Terraform provider is still using the old structure:

{
 "actions": {
  "appSignOn": {
   "access": "ALLOW",
   "verificationMethod": {
    "constraints": [
     {
      "possession": {
       "authenticationMethods": [
        {
         "key": "okta_verify",
         "method": "SIGNED_NONCE"
        },
        {
         "key": "webauthn",
         "method": "WEBAUTHN"
        }
       ],
       "required": true
      }
     },
     {
      "knowledge": {
       "authenticationMethods": [
        {
         "key": "okta_password",
         "method": "PASSWORD"
        }
       ],
       "required": true
      }
     }
    ],
    "reauthenticateIn": "PT43800H",
    "type": "AUTH_METHOD_CHAIN"
   }
  }
 }
}

Steps to Reproduce

1. Use the Okta Terraform provider (v4.10.0) with Terraform (v1.9.5).
2. Attempt to configure an Okta resource using the AUTH_METHOD_CHAIN verification method.

resource "okta_app_signon_policy" "tmp" {
  name        = "Login Authentication Policy"
  description = "This policy will apply to users xxxx"
}


resource "okta_app_signon_policy_rule" "tmp" {
  policy_id                   = okta_app_signon_policy.tmp.id
  name                        = "Login (DUO/OktaYubikey/Fastpass)"
  priority                    = 5
  status                      = "ACTIVE"
  access                      = "ALLOW"
  factor_mode                 = ""
  inactivity_period           = ""
  network_connection          = "ANYWHERE"
  risk_score                  = "ANY"
  groups_included             = [data.okta_group.groups["xxxx"].id]
  re_authentication_frequency = "PT20H"
  constraints                 = []

  type = "AUTH_METHOD_CHAIN"
}

3. Apply the Terraform configuration.

Impact

This breaking change prevents users from properly managing Okta resources that use the AUTH_METHOD_CHAIN verification method through Terraform, potentially leading to misconfigurations or the inability to use this feature.

Proposed Solution

Update the Okta Terraform provider to support the new API structure for AUTH_METHOD_CHAIN, including the chains field and any other related changes introduced in the Okta API update.

Additional Notes

This issue is related to an Early Access (Self-Service) feature that can be enabled from the Settings > Features page in t

[monde]

https://oktainc.atlassian.net/browse/OKTA-803079

[monde]

Thanks for the very detailed bug notes with steps to reproduce and proposal for a fix @hixichen