Adds support to create users with credentials

articulate · Nov 14, 2019 · a95efd4 · a95efd4
1 parent bfb2bc4
commit a95efd4
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 1 deletion.
diff --git a/examples/okta_user/basic_with_credentials.tf b/examples/okta_user/basic_with_credentials.tf
@@ -0,0 +1,9 @@
+resource "okta_user" "test" {
+  first_name        = "TestAcc"
+  last_name         = "Smith"
+  login             = "test-acc-replace_with_uuid@example.com"
+  email             = "test-acc-replace_with_uuid@example.com"
+  password          = "Abcd1234"
+  recovery_question = "What is the answer to life, the universe, and everything?"
+  recovery_answer   = "Forty Two"
+}
diff --git a/okta/resource_okta_user.go b/okta/resource_okta_user.go
@@ -47,6 +47,9 @@ var profileKeys = []string{
 	"title",
 	"user_type",
 	"zip_code",
+	"password",
+	"recovery_question",
+	"recovery_answer",
 }
 
 func resourceUser() *schema.Resource {
@@ -265,6 +268,23 @@ func resourceUser() *schema.Resource {
 				Optional:    true,
 				Description: "User zipcode or postal code",
 			},
+			"password": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Sensitive:   true,
+				Description: "User Password",
+			},
+			"recovery_question": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "User Password Recovery Question",
+			},
+			"recovery_answer": &schema.Schema{
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringLenBetween(4, 100), // Hope no one uses > 10
+				Description:  "User Password Recovery Answer",
+			},
 		},
 	}
 }
@@ -291,7 +311,31 @@ func resourceUserCreate(d *schema.ResourceData, m interface{}) error {
 		qp = query.NewQueryParams(query.WithActivate(false))
 	}
 
-	userBody := okta.User{Profile: profile}
+	password := d.Get("password").(string)
+	recoveryQuestion := d.Get("recovery_question").(string)
+	recoveryAnswer := d.Get("recovery_answer").(string)
+
+	if recoveryQuestion != "" && len(recoveryAnswer) < 4 {
+		return fmt.Errorf("[ERROR] Okta does not allow security answers with less than 4 characters")
+	}
+
+	uc := &okta.UserCredentials{
+		Password: &okta.PasswordCredential{
+			Value: password,
+		},
+	}
+
+	if recoveryQuestion != "" {
+		uc.RecoveryQuestion = &okta.RecoveryQuestionCredential{
+			Question: recoveryQuestion,
+			Answer:   recoveryAnswer,
+		}
+	}
+
+	userBody := okta.User{
+		Profile:     profile,
+		Credentials: uc,
+	}
 	user, _, err := client.User.CreateUser(userBody, qp)
 
 	if err != nil {
@@ -383,6 +427,7 @@ func resourceUserUpdate(d *schema.ResourceData, m interface{}) error {
 	roleChange := d.HasChange("admin_roles")
 	groupChange := d.HasChange("group_memberships")
 	userChange := hasProfileChange(d)
+	passwordChange := d.HasChange("password")
 
 	// run the update status func first so a user that was previously deprovisioned
 	// can be updated further if it's status changed in it's terraform configs
@@ -423,6 +468,27 @@ func resourceUserUpdate(d *schema.ResourceData, m interface{}) error {
 		}
 		d.SetPartial("group_memberships")
 	}
+
+	if passwordChange {
+		oldPassword, newPassword := d.GetChange("password")
+
+		op := &okta.PasswordCredential{
+			Value: oldPassword.(string),
+		}
+		np := &okta.PasswordCredential{
+			Value: newPassword.(string),
+		}
+		npr := &okta.ChangePasswordRequest{
+			OldPassword: op,
+			NewPassword: np,
+		}
+
+		_, _, err := client.User.ChangePassword(d.Id(), *npr, nil)
+		if err != nil {
+			return fmt.Errorf("[ERROR] Error Updating User password in Okta: %v", err)
+		}
+	}
+
 	d.Partial(false)
 
 	return resourceUserRead(d, m)

diff --git a/okta/resource_okta_user_test.go b/okta/resource_okta_user_test.go
@@ -169,6 +169,7 @@ func TestAccOktaUser_updateAllAttributes(t *testing.T) {
 	config := mgr.GetFixtures("staged.tf", ri, t)
 	updatedConfig := mgr.GetFixtures("all_attributes.tf", ri, t)
 	minimalConfig := mgr.GetFixtures("basic.tf", ri, t)
+	minimalConfigWithCredentials := mgr.GetFixtures("basic_with_credentials.tf", ri, t)
 	resourceName := fmt.Sprintf("%s.test", oktaUser)
 	email := fmt.Sprintf("test-acc-%d@example.com", ri)
 
@@ -233,6 +234,17 @@ func TestAccOktaUser_updateAllAttributes(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "email", email),
 				),
 			},
+			{
+				Config: minimalConfigWithCredentials,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "first_name", "TestAcc"),
+					resource.TestCheckResourceAttr(resourceName, "last_name", "Smith"),
+					resource.TestCheckResourceAttr(resourceName, "login", email),
+					resource.TestCheckResourceAttr(resourceName, "email", email),
+					resource.TestCheckResourceAttr(resourceName, "password", "Abcd1234"),
+					resource.TestCheckResourceAttr(resourceName, "recovery_answer", "Forty Two"),
+				),
+			},
 		},
 	})
 }

diff --git a/website/docs/r/user.html.markdown b/website/docs/r/user.html.markdown
@@ -99,6 +99,12 @@ The following arguments are supported:
 
 * `zip_code` - (Optional) User profile property.
 
+* `password` - (Optional) User password.
+
+* `recovery_question` - (Optional) User password recovery question.
+
+* `recovery_answer` - (Optional) User password recovery answer.
+
 ## Attributes Reference
 
 * `index` - (Optional) ID of the User schema property.