Cannot disable okta_policy_password.password_max_lockout_attempts; 0 value is ignored

[blazindrop]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

3.26.0

Affected Resource(s)

okta_policy_password

Terraform Configuration Files

resource "okta_policy_password" "policy_password_custom" {
  name                                   = "Custom Password Policy"
  status                                 = "ACTIVE"
  description                            = "Custom policy to test disabling max lockout attempts via Terraform"
  auth_provider                          = "OKTA"
  call_recovery                          = "INACTIVE"
  email_recovery                         = "ACTIVE"
  password_auto_unlock_minutes           = 0
  password_dictionary_lookup             = true
  password_exclude_username              = false
  password_expire_warn_days              = 0
  password_history_count                 = 0
  password_max_age_days                  = 0
  password_max_lockout_attempts          = 0
  password_min_age_minutes               = 0
  password_min_length                    = 10
  password_min_lowercase                 = 1
  password_min_number                    = 0
  password_min_symbol                    = 1
  password_min_uppercase                 = 1
  password_show_lockout_failures         = true
  recovery_email_token                   = 60
  skip_unlock                            = false
  sms_recovery                           = "INACTIVE"
  password_lockout_notification_channels = ["EMAIL"]

  groups_included        = ["${data.okta_group.everyone.id}"]
}

data "okta_group" "everyone" {
  name = "Everyone"
}

Debug Output

Panic Output

Expected Behavior

The created password policy has max lockout attempts disabled.

Actual Behavior

The Okta provider ignores a value of zero. When applied, even though password_max_lockout_attempts specifies zero, the resulting Okta policy looks like this (default of 10 max lockout attempts)

Steps to Reproduce

• Save above configuration
• terraform apply

References/Notes

This works as expected in v3.24.0 and likely introduced by this change - ad0d7f4

[monde]

Thanks for digging down into the commits and giving context @blazindrop . That will help me grind down this regression.

[monde]

This should be fixed now in v3.44.0 release.