Skip to content

Latest commit

 

History

History

password-policy

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
rules.tf
rules.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

password-policy

This module creates following resources.

  • okta_policy_password (optional)
  • okta_policy_password_default (optional)
  • okta_policy_rule_password (optional)

Requirements

Name Version
terraform >= 1.8
okta >= 4.8

Providers

Name Version
okta 4.8.1

Modules

No modules.

Resources

Name Type
okta_policy_password.this resource
okta_policy_password_default.this resource
okta_policy_rule_password.this resource
okta_group.this data source

Inputs

Name Description Type Default Required
name (Required) A name of the Okta Password Policy. Use default to manage the default password policy. string n/a yes
authentication_provider (Optional) The authentication provider which the Okta Password Policy applies to. Valid values are OKTA, LDAP, ACTIVE_DIRECTORY. Defaults to OKTA. string "OKTA" no
complexity (Optional) A configuration for password complexity requirements of the Okta Password Policy. complexity block as defined below.
(Optional) min_length - Minimum password length. Defaults to 8.
(Optional) lowercase_required - If a password must contain at least one lower case letter. Defaults to true.
(Optional) uppercase_required - If a password must contain at least one upper case letter. Defaults to true.
(Optional) number_required - If a password must contain at least one number. Defaults to true.
(Optional) symbol_required - If a password must contain at least one symbol (!@#$%^&*). Defaults to false.
(Optional) first_name_restricted - If a password must not contain the user's first name. Defaults to false.
(Optional) last_name_restricted - If a password must not contain the user's last name. Defaults to false.
(Optional) username_restricted - If a password must not contain the user's username. Defaults to true.
(Optional) common_password_restricted - Whether to restrict passwords against common password dictionary. Defaults to true.
(Optional) reuse_restriction_count - The number of distinct passwords that must be created before they can be reused. The value of 0 means no restriction. Defaults to 0.		 
object({
    min_length = optional(number, 8)

    lowercase_required = optional(bool, true)
    uppercase_required = optional(bool, true)
    number_required    = optional(bool, true)
    symbol_required    = optional(bool, false)

    first_name_restricted      = optional(bool, false)
    last_name_restricted       = optional(bool, false)
    username_restricted        = optional(bool, true)
    common_password_restricted = optional(bool, true)

    reuse_restriction_count = optional(number, 0)
  })
 {} no
description (Optional) A description of the Okta Password Policy. Only used when name is not default. string "Managed by Terraform." no
enabled (Optional) Whether to enable the Okta Password Policy. Defaults to true. Only used when name is not default. bool true no
expiration (Optional) A configuration for password expiration of the Okta Password Policy. expiration block as defined below.
(Optional) max_age_days - The number of days before a password expires. The value of 0 means no expiration. Defaults to 0.
(Optional) min_age_minutes - The minimum number of minutes that must pass before a password can be changed. The value of 0 means no limit. Defaults to 0<br> (Optional) remind_before_days- The number of days before a password expires to remind the user. The value of0means no reminder. Defaults to0.<br>		 
object({
    max_age_days       = optional(number, 0)
    min_age_minutes    = optional(number, 0)
    remind_before_days = optional(number, 0)
  })
 {} no
groups (Optional) A set of group IDs to assign the Okta Password Policy to. set(string) [] no
lockout (Optional) A configuration for password lock-out of the Okta Password Policy. lockout block as defined below.
(Optional) max_attempts - Maximum number of unsuccessful login attempts before a user is locked out. The value of 0 means no limit. Defaults to 10.
(Optional) duration - Number of minutes before a locked account is unlocked. The value of 0 means no limit. Defaults to 60.
(Optional) show_failures - Whether to inform a user when their account is locked. Defaults to false.
(Optional) notification_channels - A set of notification channels to use to notify a user when their account has been locked. Valid values are EMAIL, SMS, PUSH. Defaults to EMAIL.		 
object({
    max_attempts          = optional(number, 10)
    duration              = optional(number, 60)
    show_failures         = optional(bool, false)
    notification_channels = optional(set(string), ["EMAIL"])
  })
 {} no
priority (Optional) A priority of the Okta Password Policy. Only used when name is not default. number null no
recovery (Optional) A configuration for password recovery of the Okta Password Policy. recovery block as defined below.
(Optional) call - A configuration for password recovery call. call block as defined below.
(Optional) enabled - Whether to enable password recovery call. Defaults to false.
(Optional) email - A configuration for password recovery email. email block as defined below.
(Optional) enabled - Whether to enable password recovery email. Defaults to true.
(Optional) token_ttl - Lifetime in minutes of the recovery email token. Defaults to 60.
(Optional) question - A configuration for password recovery question. question block as defined below.
(Optional) enabled - Whether to enable password recovery question. Defaults to false.
(Optional) min_answer_length - Minimum length of the password recovery question answer. Defaults to 4.
(Optional) sms - A configuration for password recovery sms. sms block as defined below.
(Optional) enabled - Whether to enable password recovery sms. Defaults to false.		 
object({
    call = optional(object({
      enabled = optional(bool, false)
    }), {})
    email = optional(object({
      enabled   = optional(bool, true)
      token_ttl = optional(number, 60)
    }), {})
    question = optional(object({
      enabled           = optional(bool, false)
      min_answer_length = optional(number, 4)
    }), {})
    sms = optional(object({
      enabled = optional(bool, false)
    }), {})
  })
 {} no
rules (Optional) A configuration for rules of the Okta Password Policy. Each item of rules block as defined below.
(Required) name - A name of the password policy rule.
(Optional) priority - A priority of the password policy rule. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
(Optional) enabled - Whether to enable password policy rule. Defaults to true.
(Optional) condition - A condition of the password policy rule. condition block as defined below.
(Optional) excluded_users - A set of user IDs to exclude.
(Optional) network - A configuration for network condition. network block as defined below.
(Optional) excluded_zones - A set of zone IDs to exclude.
(Optional) included_zones - A set of zone IDs to include.
(Optional) allow_password_change - Whether to allow users to change their password. Defaults to true.
(Optional) allow_password_reset - Whether to allow users to reset their password. Defaults to true.
(Optional) allow_password_unlock - Whether to allow users to unlock. Defaults to false.		 
list(object({
    name     = string
    priority = optional(number)
    enabled  = optional(bool, true)

    condition = optional(object({
      excluded_users = optional(set(string), [])
      network = optional(object({
        excluded_zones = optional(set(string), [])
        included_zones = optional(set(string), [])
      }), {})
    }), {})

    allow_password_change = optional(bool, true)
    allow_password_reset  = optional(bool, true)
    allow_password_unlock = optional(bool, false)
  }))
 [] no

Outputs

Name Description
authentication_provider The authentication provider which the Okta Password Policy applies to.
complexity The complexity requirements of the Okta Password Policy.
description The description of the Okta Password Policy.
enabled Whether the Okta Password Policy is enabled.
expiration The configuration for password expiration of the Okta Password Policy.
groups The information for the assigned groups of the Okta Password Policy.
id The ID of the Okta Password Policy.
lockout The configuration for password lock-out of the Okta Password Policy.
name The name of the Okta Password Policy.
priority The priority of the Okta Password Policy.
recovery The configuration for password recovery of the Okta Password Policy.
rules The configuration for rules of the Okta Password Policy.