Unable to manage third-party device assurance policies for Windows/Mac

[sgal-dm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

Affected Resource(s)

• okta_policy_device_assurance_windows
• okta_policy_device_assurance_macos

Terraform Configuration Files

resource "okta_policy_device_assurance_macos" "macos_chrome" {
  name                          = "MACOS-CHROME"
  tpsp_device_enrollment_domain = "test.xyz"
  tpsp_os_version               = "13.0.0"
  tpsp_disk_encrypted           = true
  tpsp_screen_lock_secured      = true
}

resource "okta_policy_device_assurance_windows" "windows_chrome" {
  name                          = "WINDOWS-CHROME"
  tpsp_device_enrollment_domain = "test.xyz"
  tpsp_os_version               = "10.0.19045.0"
  tpsp_disk_encrypted           = true
  tpsp_screen_lock_secured      = true
}

Debug Output

Panic Output

Expected Behavior

Two Device Assurance Policies are created that use the Chrome Device Trust integration to check device posture.

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

Yes

Actual Behavior

Input validation in the resources rejects both, noting that Verify-specific attributes are required:

Error: Invalid Attribute Combination
│ 
│   with module.main.module.okta_org_settings.okta_policy_device_assurance_macos.macos_chrome,
│   on config.tf line N, in resource "okta_policy_device_assurance_macos" "macos_chrome":
│   N: resource "okta_policy_device_assurance_windows" "windows_chrome" {
│ 
│ At least one attribute out of [os_version,secure_hardware_present,screenlock_type] must be specified

Error: Invalid Attribute Combination
│ 
│   with module.main.module.okta_org_settings.okta_policy_device_assurance_windows.windows_chrome,
│   on config.tf line N, in resource "okta_policy_device_assurance_windows" "windows_chrome":
│   N: resource "okta_policy_device_assurance_windows" "windows_chrome" {
│ 
│ At least one attribute out of [os_version,secure_hardware_present,screenlock_type] must be specified

Specifying one of those attributes creates a policy that uses Okta Verify rather than the third-party provider.
As a temporary workaround, we specified added os_version, applied, then manually fixed the policy in the admin console. The provider doesn't see the fixed policy as requiring an update.

Steps to Reproduce

1. Run a terraform apply with the above configuration
2. Observe that the above error is encountered, preventing the creation of a third-party device assurance policy.

Important Factoids

• This only seems to impact the MacOS and Windows policy resources. We successfully created a ChromeOS policy that uses the Chrome Device Trust integration via Terraform.
• As noted, adding one of the attributes required by the provider's validation and then manually fixing the resulting policy works around the issue but creates a fragile resource.
• Tested with the latest provider (4.4.3)

References

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-658712

[Mrorya]

This is also an issue on provider version 4.5.0

[Mrorya]

This is still an issue on provider version 4.9.1 :(

[toddthiel]

So this issue has been kicking around for over a year.