Adds support to create users with credentials

[vijetm]

• Create user with password and recovery question/answer
• Added a new test to check for credentials update

[vijetm]

@quantumew - I have tested the config manually, but haven't run the acceptance tests. Is there a way to run a single acceptance test?
I used go test -run TestAccOktaUser_updateAllAttributes and it passes.
Is there a better way to run acceptance tests locally?

[quantumew]

@vijetm try TEST_FILTER=TestAccOktaUser_updateAllAttributes make testacc

[vijetm]

Just found a bug in this code where recovery_question isn't being set for a user. Will fix it.
Will also need to update the tests to check if it is set. Sorry for this half-baked PR. :|

[quantumew]

No worries at all. Thanks for the contribution. I will wait to review it.

[vijetm]

@quantumew - I have fixed the bug and tested it. Also ran the user resource related acceptance tests. Review when you can.

[quantumew]

Hey @vijetm thanks for your update! Just a few things to address, thanks!

[quantumew]

I think we want this to be Sensitive: true. Can we also make it clear in the docs and description that this WILL be stored in plain text in state?

[quantumew]

It also looks like these properties are set on create only. Can we make that clear? "User's initial password. This value cannot be updated."

Technically these should be ForceNew: true if they can only be set on create. We should warn of that in the description.

[vijetm]

Technically, okta has an API that allows you to update a user's password. The go lang SDK also has an API to do this - https://github.com/okta/okta-sdk-golang/blob/master/tests/integration/user_test.go#L237
Would we still need the ForceNew: true flag?

[quantumew]

Oh coolio, no in that case we would just need to update our update function and support that. Hopefully I am reading this diff right, I am only seeing this logic in resourceUserCreate

[vijetm]

Yes, you're reading it right. 😄
I will update the resourceUserUpdate function as well.

[vijetm]

I believe I've addressed all your concerns. Take a look.

[quantumew]

This can be done via a ValidationFunc in the schema attribute.

[quantumew]

This can be cleaned up a bit, no need to instantiate the struct twice

	uc := &okta.UserCredentials{
		Password: &okta.PasswordCredential{
		        Value: password,
	        },
	}

	if recoveryQuestion != "" && len(recoveryAnswer) >= 4 {
		uc.RecoveryQuestion := &okta.RecoveryQuestionCredential{
			Question: recoveryQuestion,
			Answer:   recoveryAnswer,
		}
	}

[quantumew]

Once we add the ForceNew this will actually recreate this resource and test the create logic.

[vijetm]

default okta password length is 8. Users can change their policy to 4 characters, but I think it's good to enforce the 8 character minimum limit

[quantumew]

I think we can just remove this validation imo. I definitely strongly recommend longer passwords, but if it is possible to have shorter or longer passwords in Okta, let's let them do that.

[quantumew]

Can either of these be updated? If so should we include them in the update logic?

[vijetm]

Yes, they can be updated. Let me include them in the update logic. Thanks for catching!

[quantumew]

Thanks for the update. Just a few small comments/questions. Can you run make fmt and commit the change?

[vijetm]

@quantumew - The recovery credentials update doesn't seem to work in my test environment. Okta APIs don't throw an error but the credentials are not updated in the user account. (Password is updated, but recovery question/answer is not). Trying to debug the issue. Don't merge this yet.

[vijetm]

@quantumew - N00b question: Where can I see the statements printed using log.Printf? Trying to debug an issue. Wondering what's the best way to debug without breakpoints...

[quantumew]

@vijetm I recommend delve with breakpoints but if you are not feeling like you need that, then just fmt.Print to stdout, make sure tests are run with -v, and you will likely have to set TF_LOG=debug.

[vijetm]

@quantumew - After some debugging, I see that the call to change recovery credentials isn't being routed to okta. I also notice that you're still using v0.1.0 of the okta golang SDK - https://github.com/articulate/terraform-provider-okta/blob/master/go.mod#L20 (which could be the reason for this issue)
The latest version is v1.0.1. Apart from the go.mod file, is there any place I need to change to use the latest version?

[quantumew]

@vijetm That version might be misleading. Notice the replace directive at the bottom. Our fork should be up to date with the latest SDK, maybe one patch version behind. If you set TF_LOG=debug you can see requests going out and responses in, you are not seeing this request go out, despite it reaching your code and calling the update func?

[vijetm]

@quantumew - I see the call being made now. A previous password change test was failing which caused the next call to not execute.
The tests also seem to be passing now. Had to make some changes to the staged.tf file to add password. Looking at the best way to change this now. Will submit the fix when I finish. Thanks for the help.

[vijetm]

Had to add the password variable to all setup files in examples/okta_user directory, as update tests would fail.
This is because in the update test, the user should have a previous password to update the current password. If not, okta api returns an error. I don't know if you prefer this, but another way is to probably have a separate method/test to check for password update. I thought this was easier, not sure if cleaner though.

[quantumew]

Can we keep this test case separate? Just create another password specific test case? That way we can keep all of these existing test cases as is. I want to be sure all of the old tests pass as is (no passwords changed or set) while also testing the new functionality.

[vijetm]

@quantumew - Did you get a chance to run the acceptance tests? Let me know if you want me to run them locally.

[quantumew]

LGTM!