1. Defining account lockout thresholds with Okta Password Policy

    TypeScript

    To define account lockout thresholds with an Okta Password Policy using Pulumi, you will need to use the Okta Pulumi provider. The Okta provider allows you to manage Okta resources with infrastructure as code. Specifically, you can use the okta.policy.Password resource to create or manage an Okta Password Policy, which can include settings for account lockout thresholds.

    The account lockout threshold is how many failed sign-in attempts will trigger the lockout of an account for a certain period of time (or until an administrator unlocks it). To set this in Pulumi, you can use the passwordMaxLockoutAttempts and passwordAutoUnlockMinutes properties within the okta.policy.Password resource.

    Here's a program in TypeScript that demonstrates how to define these thresholds:

    import * as okta from '@pulumi/okta'; // Create an Okta Password Policy with account lockout thresholds const passwordPolicy = new okta.policy.Password("example-password-policy", { // The name of your policy - this must be unique within your Okta organization name: "ExamplePasswordPolicy", // The description of your policy description: "This policy defines account lockout thresholds.", // Account lockout settings // Set the number of failed sign-in attempts that will trigger an account lockout passwordMaxLockoutAttempts: 5, // for example, lock the account after 5 failed attempts // Set the number of minutes before a locked account will be automatically unlocked passwordAutoUnlockMinutes: 30, // for example, the account will automatically unlock after 30 minutes // Additional password settings you might want to configure passwordMinLength: 8, // Minimum length for passwords passwordMinUppercase: 1, // Require at least one uppercase letter passwordMinLowercase: 1, // Require at least one lowercase letter passwordMinNumber: 1, // Require at least one number passwordMinSymbol: 1, // Require at least one symbol passwordHistoryCount: 4, // Number of unique new passwords before an old one can be reused passwordMaxAgeDays: 90, // Maximum password age in days passwordExpireWarnDays: 15, // Number of days before password expiration to warn the user }); // Optional: Export the ID of the policy which can be useful for automating policy assignments or rules. export const passwordPolicyId = passwordPolicy.id;

    In this program, we create an instance of okta.policy.Password. We give this policy a name and description to help identify its purpose. We also configure the passwordMaxLockoutAttempts to 5, meaning that after five consecutive failed sign-in attempts, the user's account will be locked. The passwordAutoUnlockMinutes is set to 30, so the account will be automatically unlocked after half an hour.

    Additional password settings, like minimum length, character requirements, password history, and maximum age, can also be set at the same time. These settings ensure that users create strong and unique passwords.

    To apply this policy with Pulumi, you would first need to have Pulumi installed and the Okta provider configured with the necessary credentials. With that set up, you can run pulumi up to create or update the resources described in this program. The policy ID is exported for convenience, allowing it to be referenced in other parts of your Pulumi program, such as when associating the policy with groups or applications.