okta · stevenelleman-okta · Sep 15, 2022 · Sep 13, 2022 · Sep 13, 2022 · Sep 14, 2022
diff --git a/docs/data-sources/project.md b/docs/data-sources/project.md
@@ -33,5 +33,6 @@ Returns a previously created ASA Project. For details, [Projects](https://help.o
 - `ssh_certificate_type` (String) The SSH certificate type used by access requests. Options include: [`CERT_TYPE_ED25519_01`, `CERT_TYPE_ECDSA_521_01`, `CERT_TYPE_ECDSA_384_01`, `CERT_TYPE_ECDSA_256_01`, `CERT_TYPE_RSA_01`]. 'CERT_TYPE_RSA_01' is a deprecated key algorithm type. This option should only be used to connect to legacy systems that cannot use newer SSH versions. If you do need to use 'CERT_TYPE_RSA_01', it is recommended to connect via a gateway with traffic forwarding. Otherwise, please use a more current key algorithm. If left unspecified, 'CERT_TYPE_ED25519_01' is used by default.
 - `ssh_session_recording` (Boolean) If `true`, enables ssh recording on server access requests.
 - `team` (String) The human-readable name of the ASA Team that owns the resource. Values are lower-case.
+- `user_on_demand_period` (Number) If defined, set time period in seconds that an on-demand user account exists on the server following an access request.
 
 
diff --git a/docs/resources/project.md b/docs/resources/project.md
@@ -30,6 +30,7 @@ An ASA construct that contains servers and is used to grant end users access to
 - `require_preauth_for_creds` (Boolean) If `true`, require preauthorization before an ASA User can retrieve credentials to sign in.
 - `ssh_certificate_type` (String) The SSH certificate type used by access requests. Options include: [`CERT_TYPE_ED25519_01`, `CERT_TYPE_ECDSA_521_01`, `CERT_TYPE_ECDSA_384_01`, `CERT_TYPE_ECDSA_256_01`, `CERT_TYPE_RSA_01`]. 'CERT_TYPE_RSA_01' is a deprecated key algorithm type. This option should only be used to connect to legacy systems that cannot use newer SSH versions. If you do need to use 'CERT_TYPE_RSA_01', it is recommended to connect via a gateway with traffic forwarding. Otherwise, please use a more current key algorithm. If left unspecified, 'CERT_TYPE_ED25519_01' is used by default.
 - `ssh_session_recording` (Boolean) If `true`, enables ssh recording on server access requests.
+- `user_on_demand_period` (Number) If defined, set time period in seconds that an on-demand user account exists on the server following an access request.
 
 ### Read-Only
 

diff --git a/oktapam/client/project.go b/oktapam/client/project.go
@@ -28,6 +28,7 @@ type Project struct {
 	SSHSessionRecording    *bool   `json:"ssh_session_recording,omitempty"`
 	GatewaySelector        *string `json:"gateway_selector,omitempty"`
 	SSHCertificateType     *string `json:"ssh_certificate_type,omitempty"`
+	UserOnDemandPeriod     *int    `json:"user_on_demand_period,omitempty"`
 }
 
 func (p Project) ToResourceMap() map[string]interface{} {
@@ -73,6 +74,9 @@ func (p Project) ToResourceMap() map[string]interface{} {
 	if p.SSHCertificateType != nil {
 		m[attributes.SSHCertificateType] = *p.SSHCertificateType
 	}
+	if p.UserOnDemandPeriod != nil {
+		m[attributes.UserOnDemandPeriod] = *p.UserOnDemandPeriod
+	}
 
 	return m
 }

diff --git a/oktapam/constants/attributes/attributes.go b/oktapam/constants/attributes/attributes.go
@@ -74,7 +74,7 @@ const (
 	OrganizationalUnit               = "organizational_unit"
 	OSAttribute                      = "os_attribute"
 	ProjectGroups                    = "project_groups"
-	ProjectID						 = "project_id"
+	ProjectID                        = "project_id"
 	ProjectName                      = "project_name"
 	ProjectNames                     = "project_names"
 	Projects                         = "projects"
@@ -106,6 +106,7 @@ const (
 	TTLDays                          = "ttl_days"
 	Type                             = "type"
 	UsePasswordless                  = "use_passwordless"
+	UserOnDemandPeriod               = "user_on_demand_period"
 	Users                            = "users"
 	UserType                         = "user_type"
 	Value                            = "value"

diff --git a/oktapam/constants/descriptions/attributes.go b/oktapam/constants/descriptions/attributes.go
@@ -84,5 +84,6 @@ var (
 	TeamName            = "The human-readable name of the ASA Team that owns the resource. Values are lower-case."
 	Token               = "The secret used for resource enrollment."
 	UsePasswordless     = "if `true`, Users will not need password to login."
+	UserOnDemandPeriod  = "If defined, set time period in seconds that an on-demand user account exists on the server following an access request."
 	UserType            = "The user type. Valid types are 'human' and 'service'."
 )
diff --git a/oktapam/data_source_project.go b/oktapam/data_source_project.go
@@ -82,6 +82,11 @@ func dataSourceProject() *schema.Resource {
 				Computed:    true,
 				Description: descriptions.SSHCertificateType,
 			},
+			attributes.UserOnDemandPeriod: {
+				Type:        schema.TypeInt,
+				Computed:    true,
+				Description: descriptions.UserOnDemandPeriod,
+			},
 		},
 	}
 }

diff --git a/oktapam/resource_project.go b/oktapam/resource_project.go
@@ -92,6 +92,11 @@ func resourceProject() *schema.Resource {
 				Optional:    true,
 				Description: descriptions.GatewaySelector,
 			},
+			attributes.UserOnDemandPeriod: {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Description: descriptions.UserOnDemandPeriod,
+			},
 			attributes.SSHCertificateType: {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -147,6 +152,7 @@ func resourceProjectCreate(ctx context.Context, d *schema.ResourceData, m interf
 		SSHSessionRecording:    getBoolPtr(attributes.SSHSessionRecording, d, false),
 		GatewaySelector:        getStringPtr(attributes.GatewaySelector, d, false),
 		SSHCertificateType:     getStringPtr(attributes.SSHCertificateType, d, false),
+		UserOnDemandPeriod:     getIntPtr(attributes.UserOnDemandPeriod, d, false),
 	}
 
 	err := c.CreateProject(ctx, project)
@@ -230,6 +236,7 @@ func resourceProjectUpdate(ctx context.Context, d *schema.ResourceData, m interf
 		attributes.RequirePreauthForCreds,
 		attributes.SSHSessionRecording,
 		attributes.GatewaySelector,
+		attributes.UserOnDemandPeriod,
 	}
 
 	for _, attribute := range changeableAttributes {

diff --git a/oktapam/resource_project_test.go b/oktapam/resource_project_test.go
@@ -27,6 +27,7 @@ func TestAccProject(t *testing.T) {
 		RDPSessionRecording:    utils.AsBoolPtrZero(false, true),
 		SSHSessionRecording:    utils.AsBoolPtrZero(false, true),
 		SSHCertificateType:     utils.AsStringPtr("CERT_TYPE_ED25519_01"),
+		UserOnDemandPeriod:     utils.AsIntPtr(1),
 	}
 	updatedProject := client.Project{
 		Name:                   &projectName,
@@ -39,6 +40,7 @@ func TestAccProject(t *testing.T) {
 		SSHSessionRecording:    utils.AsBoolPtrZero(true, true),
 		GatewaySelector:        utils.AsStringPtr("env=test"),
 		SSHCertificateType:     utils.AsStringPtr("CERT_TYPE_ED25519_01"),
+		UserOnDemandPeriod:     utils.AsIntPtr(10),
 	}
 	resource.Test(t, resource.TestCase{
 		PreCheck:          func() { testAccPreCheck(t) },
@@ -61,6 +63,9 @@ func TestAccProject(t *testing.T) {
 					resource.TestCheckResourceAttr(
 						resourceName, attributes.SSHCertificateType, "CERT_TYPE_ED25519_01",
 					),
+					resource.TestCheckResourceAttr(
+						resourceName, attributes.UserOnDemandPeriod, "1",
+					),
 				),
 			},
 			{
@@ -79,6 +84,9 @@ func TestAccProject(t *testing.T) {
 					resource.TestCheckResourceAttr(
 						resourceName, attributes.SSHCertificateType, "CERT_TYPE_ED25519_01",
 					),
+					resource.TestCheckResourceAttr(
+						resourceName, attributes.UserOnDemandPeriod, "10",
+					),
 				),
 			},
 			{
@@ -139,10 +147,11 @@ func testAccProjectCheckDestroy(projectName string) resource.TestCheckFunc {
 
 const testAccProjectCreateConfigFormat = `
 resource "oktapam_project" "test_project" {
-    name                 = "%s"
-  	next_unix_uid        = 60120
-  	next_unix_gid        = 63020
-	ssh_certificate_type = "CERT_TYPE_ED25519_01"
+	name                  = "%s"
+	next_unix_uid         = 60120
+	next_unix_gid         = 63020
+	ssh_certificate_type  = "CERT_TYPE_ED25519_01"
+	user_on_demand_period = 1
 }`
 
 func createTestAccProjectCreateConfig(projectName string) string {
@@ -160,6 +169,7 @@ resource "oktapam_project" "test_project" {
 	ssh_session_recording     = true
 	gateway_selector          = "env=test"
 	ssh_certificate_type      = "CERT_TYPE_ED25519_01"
+	user_on_demand_period     = 10
 }`
 
 func createTestAccProjectUpdateConfig(projectName string) string {