Come join Pulumi for the industry's first Cloud Engineering Summit! October 7–8. Save Your Spot

policy

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-okta repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-okta repo.

class pulumi_okta.policy.AwaitableGetDefaultPolicyResult(id=None, type=None)
class pulumi_okta.policy.AwaitableGetPolicyResult(id=None, name=None, type=None)
class pulumi_okta.policy.GetDefaultPolicyResult(id=None, type=None)

A collection of values returned by getDefaultPolicy.

id = None

The provider-assigned unique ID for this managed resource.

type = None

type of policy.

class pulumi_okta.policy.GetPolicyResult(id=None, name=None, type=None)

A collection of values returned by getPolicy.

id = None

The provider-assigned unique ID for this managed resource.

name = None

name of policy.

type = None

type of policy.

class pulumi_okta.policy.Mfa(resource_name, opts=None, description=None, duo=None, fido_u2f=None, fido_webauthn=None, google_otp=None, groups_includeds=None, name=None, okta_call=None, okta_otp=None, okta_password=None, okta_push=None, okta_question=None, okta_sms=None, priority=None, rsa_token=None, status=None, symantec_vip=None, yubikey_token=None, __props__=None, __name__=None, __opts__=None)

Creates an MFA Policy.

This resource allows you to create and configure an MFA Policy.

import pulumi
import pulumi_okta as okta

example = okta.policy.Mfa("example",
    description="Example",
    groups_includeds=[data["group.Group"]["everyone"]["id"]],
    okta_otp={
        "enroll": "REQUIRED",
    },
    status="ACTIVE")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – Policy Description.

  • duo (pulumi.Input[dict]) – DUO MFA policy settings.

  • fido_u2f (pulumi.Input[dict]) – Fido U2F MFA policy settings.

  • fido_webauthn (pulumi.Input[dict]) – Fido Web Authn MFA policy settings.

  • google_otp (pulumi.Input[dict]) – Google OTP MFA policy settings.

  • groups_includeds (pulumi.Input[list]) – List of Group IDs to Include.

  • name (pulumi.Input[str]) – Policy Name.

  • okta_call (pulumi.Input[dict]) – Okta Call MFA policy settings.

  • okta_otp (pulumi.Input[dict]) – Okta OTP MFA policy settings.

  • okta_password (pulumi.Input[dict]) – Okta Password MFA policy settings.

  • okta_push (pulumi.Input[dict]) – Okta Push MFA policy settings.

  • okta_question (pulumi.Input[dict]) – Okta Question MFA policy settings.

  • okta_sms (pulumi.Input[dict]) – Okta SMS MFA policy settings.

  • priority (pulumi.Input[float]) – Priority of the policy.

  • rsa_token (pulumi.Input[dict]) – RSA Token MFA policy settings.

  • status (pulumi.Input[str]) – Policy Status: "ACTIVE" or "INACTIVE".

  • symantec_vip (pulumi.Input[dict]) – Symantec VIP MFA policy settings.

  • yubikey_token (pulumi.Input[dict]) – Yubikey Token MFA policy settings.

The duo object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The fido_u2f object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The fido_webauthn object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The google_otp object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_call object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_otp object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_password object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_push object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_question object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_sms object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The rsa_token object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The symantec_vip object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The yubikey_token object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

description: pulumi.Output[str] = None

Policy Description.

duo: pulumi.Output[dict] = None

DUO MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

fido_u2f: pulumi.Output[dict] = None

Fido U2F MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

fido_webauthn: pulumi.Output[dict] = None

Fido Web Authn MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

google_otp: pulumi.Output[dict] = None

Google OTP MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

groups_includeds: pulumi.Output[list] = None

List of Group IDs to Include.

name: pulumi.Output[str] = None

Policy Name.

okta_call: pulumi.Output[dict] = None

Okta Call MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

okta_otp: pulumi.Output[dict] = None

Okta OTP MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

okta_password: pulumi.Output[dict] = None

Okta Password MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

okta_push: pulumi.Output[dict] = None

Okta Push MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

okta_question: pulumi.Output[dict] = None

Okta Question MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

okta_sms: pulumi.Output[dict] = None

Okta SMS MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

priority: pulumi.Output[float] = None

Priority of the policy.

rsa_token: pulumi.Output[dict] = None

RSA Token MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

status: pulumi.Output[str] = None

Policy Status: "ACTIVE" or "INACTIVE".

symantec_vip: pulumi.Output[dict] = None

Symantec VIP MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

yubikey_token: pulumi.Output[dict] = None

Yubikey Token MFA policy settings.

  • consent_type (str) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (str) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

static get(resource_name, id, opts=None, description=None, duo=None, fido_u2f=None, fido_webauthn=None, google_otp=None, groups_includeds=None, name=None, okta_call=None, okta_otp=None, okta_password=None, okta_push=None, okta_question=None, okta_sms=None, priority=None, rsa_token=None, status=None, symantec_vip=None, yubikey_token=None)

Get an existing Mfa resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – Policy Description.

  • duo (pulumi.Input[dict]) – DUO MFA policy settings.

  • fido_u2f (pulumi.Input[dict]) – Fido U2F MFA policy settings.

  • fido_webauthn (pulumi.Input[dict]) – Fido Web Authn MFA policy settings.

  • google_otp (pulumi.Input[dict]) – Google OTP MFA policy settings.

  • groups_includeds (pulumi.Input[list]) – List of Group IDs to Include.

  • name (pulumi.Input[str]) – Policy Name.

  • okta_call (pulumi.Input[dict]) – Okta Call MFA policy settings.

  • okta_otp (pulumi.Input[dict]) – Okta OTP MFA policy settings.

  • okta_password (pulumi.Input[dict]) – Okta Password MFA policy settings.

  • okta_push (pulumi.Input[dict]) – Okta Push MFA policy settings.

  • okta_question (pulumi.Input[dict]) – Okta Question MFA policy settings.

  • okta_sms (pulumi.Input[dict]) – Okta SMS MFA policy settings.

  • priority (pulumi.Input[float]) – Priority of the policy.

  • rsa_token (pulumi.Input[dict]) – RSA Token MFA policy settings.

  • status (pulumi.Input[str]) – Policy Status: "ACTIVE" or "INACTIVE".

  • symantec_vip (pulumi.Input[dict]) – Symantec VIP MFA policy settings.

  • yubikey_token (pulumi.Input[dict]) – Yubikey Token MFA policy settings.

The duo object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The fido_u2f object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The fido_webauthn object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The google_otp object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_call object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_otp object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_password object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_push object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_question object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The okta_sms object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The rsa_token object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The symantec_vip object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

The yubikey_token object supports the following:

  • consent_type (pulumi.Input[str]) - User consent type required before enrolling in the factor: "NONE" or "TERMS_OF_SERVICE". By default it is "NONE".

  • enroll (pulumi.Input[str]) - Requirements for user initiated enrollment. Can be "NOT_ALLOWED", "OPTIONAL", or "REQUIRED". By default it is "OPTIONAL".

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_okta.policy.Password(resource_name, opts=None, auth_provider=None, description=None, email_recovery=None, groups_includeds=None, name=None, password_auto_unlock_minutes=None, password_dictionary_lookup=None, password_exclude_first_name=None, password_exclude_last_name=None, password_exclude_username=None, password_expire_warn_days=None, password_history_count=None, password_max_age_days=None, password_max_lockout_attempts=None, password_min_age_minutes=None, password_min_length=None, password_min_lowercase=None, password_min_number=None, password_min_symbol=None, password_min_uppercase=None, password_show_lockout_failures=None, priority=None, question_min_length=None, question_recovery=None, recovery_email_token=None, skip_unlock=None, sms_recovery=None, status=None, __props__=None, __name__=None, __opts__=None)

Creates a Password Policy.

This resource allows you to create and configure a Password Policy.

import pulumi
import pulumi_okta as okta

example = okta.policy.Password("example",
    description="Example",
    groups_includeds=[data["group.Group"]["everyone"]["id"]],
    password_history_count=4,
    status="ACTIVE")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • auth_provider (pulumi.Input[str]) – Authentication Provider: "OKTA" or "ACTIVE_DIRECTORY". Default is "OKTA".

  • description (pulumi.Input[str]) – Policy Description.

  • email_recovery (pulumi.Input[str]) – Enable or disable email password recovery: ACTIVE or INACTIVE.

  • groups_includeds (pulumi.Input[list]) – List of Group IDs to Include.

  • name (pulumi.Input[str]) – Policy Name.

  • password_auto_unlock_minutes (pulumi.Input[float]) – Number of minutes before a locked account is unlocked: 0 = no limit.

  • password_dictionary_lookup (pulumi.Input[bool]) – Check Passwords Against Common Password Dictionary.

  • password_exclude_first_name (pulumi.Input[bool]) – User firstName attribute must be excluded from the password.

  • password_exclude_last_name (pulumi.Input[bool]) – User lastName attribute must be excluded from the password.

  • password_exclude_username (pulumi.Input[bool]) – If the user name must be excluded from the password.

  • password_expire_warn_days (pulumi.Input[float]) – Length in days a user will be warned before password expiry: 0 = no warning.

  • password_history_count (pulumi.Input[float]) – Number of distinct passwords that must be created before they can be reused: 0 = none.

  • password_max_age_days (pulumi.Input[float]) – Length in days a password is valid before expiry: 0 = no limit.”,

  • password_max_lockout_attempts (pulumi.Input[float]) – Number of unsuccessful login attempts allowed before lockout: 0 = no limit.

  • password_min_age_minutes (pulumi.Input[float]) – Minimum time interval in minutes between password changes: 0 = no limit.

  • password_min_length (pulumi.Input[float]) – Minimum password length. Default is 8.

  • password_min_lowercase (pulumi.Input[float]) – Minimum number of lower case characters in password.

  • password_min_number (pulumi.Input[float]) – Minimum number of numbers in password.

  • password_min_symbol (pulumi.Input[float]) – Minimum number of symbols in password.

  • password_min_uppercase (pulumi.Input[float]) – Minimum number of upper case characters in password.

  • password_show_lockout_failures (pulumi.Input[bool]) – If a user should be informed when their account is locked.

  • priority (pulumi.Input[float]) – Priority of the policy.

  • question_min_length (pulumi.Input[float]) – Min length of the password recovery question answer.

  • question_recovery (pulumi.Input[str]) – Enable or disable security question password recovery: ACTIVE or INACTIVE.

  • recovery_email_token (pulumi.Input[float]) – Lifetime in minutes of the recovery email token.

  • skip_unlock (pulumi.Input[bool]) – When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user’s Windows account.

  • sms_recovery (pulumi.Input[str]) – Enable or disable SMS password recovery: ACTIVE or INACTIVE.

  • status (pulumi.Input[str]) – Policy Status: "ACTIVE" or "INACTIVE".

auth_provider: pulumi.Output[str] = None

Authentication Provider: "OKTA" or "ACTIVE_DIRECTORY". Default is "OKTA".

description: pulumi.Output[str] = None

Policy Description.

email_recovery: pulumi.Output[str] = None

Enable or disable email password recovery: ACTIVE or INACTIVE.

groups_includeds: pulumi.Output[list] = None

List of Group IDs to Include.

name: pulumi.Output[str] = None

Policy Name.

password_auto_unlock_minutes: pulumi.Output[float] = None

Number of minutes before a locked account is unlocked: 0 = no limit.

password_dictionary_lookup: pulumi.Output[bool] = None

Check Passwords Against Common Password Dictionary.

password_exclude_first_name: pulumi.Output[bool] = None

User firstName attribute must be excluded from the password.

password_exclude_last_name: pulumi.Output[bool] = None

User lastName attribute must be excluded from the password.

password_exclude_username: pulumi.Output[bool] = None

If the user name must be excluded from the password.

password_expire_warn_days: pulumi.Output[float] = None

Length in days a user will be warned before password expiry: 0 = no warning.

password_history_count: pulumi.Output[float] = None

Number of distinct passwords that must be created before they can be reused: 0 = none.

password_max_age_days: pulumi.Output[float] = None

Length in days a password is valid before expiry: 0 = no limit.”,

password_max_lockout_attempts: pulumi.Output[float] = None

Number of unsuccessful login attempts allowed before lockout: 0 = no limit.

password_min_age_minutes: pulumi.Output[float] = None

Minimum time interval in minutes between password changes: 0 = no limit.

password_min_length: pulumi.Output[float] = None

Minimum password length. Default is 8.

password_min_lowercase: pulumi.Output[float] = None

Minimum number of lower case characters in password.

password_min_number: pulumi.Output[float] = None

Minimum number of numbers in password.

password_min_symbol: pulumi.Output[float] = None

Minimum number of symbols in password.

password_min_uppercase: pulumi.Output[float] = None

Minimum number of upper case characters in password.

password_show_lockout_failures: pulumi.Output[bool] = None

If a user should be informed when their account is locked.

priority: pulumi.Output[float] = None

Priority of the policy.

question_min_length: pulumi.Output[float] = None

Min length of the password recovery question answer.

question_recovery: pulumi.Output[str] = None

Enable or disable security question password recovery: ACTIVE or INACTIVE.

recovery_email_token: pulumi.Output[float] = None

Lifetime in minutes of the recovery email token.

skip_unlock: pulumi.Output[bool] = None

When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user’s Windows account.

sms_recovery: pulumi.Output[str] = None

Enable or disable SMS password recovery: ACTIVE or INACTIVE.

status: pulumi.Output[str] = None

Policy Status: "ACTIVE" or "INACTIVE".

static get(resource_name, id, opts=None, auth_provider=None, description=None, email_recovery=None, groups_includeds=None, name=None, password_auto_unlock_minutes=None, password_dictionary_lookup=None, password_exclude_first_name=None, password_exclude_last_name=None, password_exclude_username=None, password_expire_warn_days=None, password_history_count=None, password_max_age_days=None, password_max_lockout_attempts=None, password_min_age_minutes=None, password_min_length=None, password_min_lowercase=None, password_min_number=None, password_min_symbol=None, password_min_uppercase=None, password_show_lockout_failures=None, priority=None, question_min_length=None, question_recovery=None, recovery_email_token=None, skip_unlock=None, sms_recovery=None, status=None)

Get an existing Password resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • auth_provider (pulumi.Input[str]) – Authentication Provider: "OKTA" or "ACTIVE_DIRECTORY". Default is "OKTA".

  • description (pulumi.Input[str]) – Policy Description.

  • email_recovery (pulumi.Input[str]) – Enable or disable email password recovery: ACTIVE or INACTIVE.

  • groups_includeds (pulumi.Input[list]) – List of Group IDs to Include.

  • name (pulumi.Input[str]) – Policy Name.

  • password_auto_unlock_minutes (pulumi.Input[float]) – Number of minutes before a locked account is unlocked: 0 = no limit.

  • password_dictionary_lookup (pulumi.Input[bool]) – Check Passwords Against Common Password Dictionary.

  • password_exclude_first_name (pulumi.Input[bool]) – User firstName attribute must be excluded from the password.

  • password_exclude_last_name (pulumi.Input[bool]) – User lastName attribute must be excluded from the password.

  • password_exclude_username (pulumi.Input[bool]) – If the user name must be excluded from the password.

  • password_expire_warn_days (pulumi.Input[float]) – Length in days a user will be warned before password expiry: 0 = no warning.

  • password_history_count (pulumi.Input[float]) – Number of distinct passwords that must be created before they can be reused: 0 = none.

  • password_max_age_days (pulumi.Input[float]) – Length in days a password is valid before expiry: 0 = no limit.”,

  • password_max_lockout_attempts (pulumi.Input[float]) – Number of unsuccessful login attempts allowed before lockout: 0 = no limit.

  • password_min_age_minutes (pulumi.Input[float]) – Minimum time interval in minutes between password changes: 0 = no limit.

  • password_min_length (pulumi.Input[float]) – Minimum password length. Default is 8.

  • password_min_lowercase (pulumi.Input[float]) – Minimum number of lower case characters in password.

  • password_min_number (pulumi.Input[float]) – Minimum number of numbers in password.

  • password_min_symbol (pulumi.Input[float]) – Minimum number of symbols in password.

  • password_min_uppercase (pulumi.Input[float]) – Minimum number of upper case characters in password.

  • password_show_lockout_failures (pulumi.Input[bool]) – If a user should be informed when their account is locked.

  • priority (pulumi.Input[float]) – Priority of the policy.

  • question_min_length (pulumi.Input[float]) – Min length of the password recovery question answer.

  • question_recovery (pulumi.Input[str]) – Enable or disable security question password recovery: ACTIVE or INACTIVE.

  • recovery_email_token (pulumi.Input[float]) – Lifetime in minutes of the recovery email token.

  • skip_unlock (pulumi.Input[bool]) – When an Active Directory user is locked out of Okta, the Okta unlock operation should also attempt to unlock the user’s Windows account.

  • sms_recovery (pulumi.Input[str]) – Enable or disable SMS password recovery: ACTIVE or INACTIVE.

  • status (pulumi.Input[str]) – Policy Status: "ACTIVE" or "INACTIVE".

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_okta.policy.RuleIdpDiscovery(resource_name, opts=None, app_excludes=None, app_includes=None, idp_id=None, idp_type=None, name=None, network_connection=None, network_excludes=None, network_includes=None, platform_includes=None, policyid=None, priority=None, status=None, user_identifier_attribute=None, user_identifier_patterns=None, user_identifier_type=None, __props__=None, __name__=None, __opts__=None)

Creates an IdP Discovery Policy Rule.

This resource allows you to create and configure an IdP Discovery Policy Rule.

import pulumi
import pulumi_okta as okta

example = okta.policy.RuleIdpDiscovery("example",
    idp_id="<idp id>",
    idp_type="SAML2",
    policyid="<policy id>",
    priority=1,
    user_identifier_attribute="company",
    user_identifier_patterns=[{
        "match_type": "EQUALS",
        "value": "Articulate",
    }],
    user_identifier_type="ATTRIBUTE")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • app_excludes (pulumi.Input[list]) – Applications to exclude in discovery rule

  • app_includes (pulumi.Input[list]) – Applications to include in discovery rule

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

The app_excludes object supports the following:

  • id (pulumi.Input[str]) - ID of the Rule.

  • name (pulumi.Input[str]) - Policy Rule Name.

  • type (pulumi.Input[str])

The app_includes object supports the following:

  • id (pulumi.Input[str]) - ID of the Rule.

  • name (pulumi.Input[str]) - Policy Rule Name.

  • type (pulumi.Input[str])

The platform_includes object supports the following:

  • osExpression (pulumi.Input[str])

  • osType (pulumi.Input[str])

  • type (pulumi.Input[str])

The user_identifier_patterns object supports the following:

  • match_type (pulumi.Input[str])

  • value (pulumi.Input[str])

app_excludes: pulumi.Output[list] = None

Applications to exclude in discovery rule

  • id (str) - ID of the Rule.

  • name (str) - Policy Rule Name.

  • type (str)

app_includes: pulumi.Output[list] = None

Applications to include in discovery rule

  • id (str) - ID of the Rule.

  • name (str) - Policy Rule Name.

  • type (str)

name: pulumi.Output[str] = None

Policy Rule Name.

network_connection: pulumi.Output[str] = None

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

network_excludes: pulumi.Output[list] = None

The network zones to exclude. Conflicts with network_includes.

network_includes: pulumi.Output[list] = None

The network zones to include. Conflicts with network_excludes.

policyid: pulumi.Output[str] = None

Policy ID.

priority: pulumi.Output[float] = None

Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

status: pulumi.Output[str] = None

Policy Rule Status: "ACTIVE" or "INACTIVE".

static get(resource_name, id, opts=None, app_excludes=None, app_includes=None, idp_id=None, idp_type=None, name=None, network_connection=None, network_excludes=None, network_includes=None, platform_includes=None, policyid=None, priority=None, status=None, user_identifier_attribute=None, user_identifier_patterns=None, user_identifier_type=None)

Get an existing RuleIdpDiscovery resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • app_excludes (pulumi.Input[list]) – Applications to exclude in discovery rule

  • app_includes (pulumi.Input[list]) – Applications to include in discovery rule

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

The app_excludes object supports the following:

  • id (pulumi.Input[str]) - ID of the Rule.

  • name (pulumi.Input[str]) - Policy Rule Name.

  • type (pulumi.Input[str])

The app_includes object supports the following:

  • id (pulumi.Input[str]) - ID of the Rule.

  • name (pulumi.Input[str]) - Policy Rule Name.

  • type (pulumi.Input[str])

The platform_includes object supports the following:

  • osExpression (pulumi.Input[str])

  • osType (pulumi.Input[str])

  • type (pulumi.Input[str])

The user_identifier_patterns object supports the following:

  • match_type (pulumi.Input[str])

  • value (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_okta.policy.RuleMfa(resource_name, opts=None, enroll=None, name=None, network_connection=None, network_excludes=None, network_includes=None, policyid=None, priority=None, status=None, users_excludeds=None, __props__=None, __name__=None, __opts__=None)

Creates an MFA Policy Rule.

This resource allows you to create and configure an MFA Policy Rule.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • enroll (pulumi.Input[str]) – When a user should be prompted for MFA. It can be "CHALLENGE", "LOGIN", or "NEVER".

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

  • users_excludeds (pulumi.Input[list]) – Set of User IDs to Exclude

enroll: pulumi.Output[str] = None

When a user should be prompted for MFA. It can be "CHALLENGE", "LOGIN", or "NEVER".

name: pulumi.Output[str] = None

Policy Rule Name.

network_connection: pulumi.Output[str] = None

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

network_excludes: pulumi.Output[list] = None

The network zones to exclude. Conflicts with network_includes.

network_includes: pulumi.Output[list] = None

The network zones to include. Conflicts with network_excludes.

policyid: pulumi.Output[str] = None

Policy ID.

priority: pulumi.Output[float] = None

Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

status: pulumi.Output[str] = None

Policy Rule Status: "ACTIVE" or "INACTIVE".

users_excludeds: pulumi.Output[list] = None

Set of User IDs to Exclude

static get(resource_name, id, opts=None, enroll=None, name=None, network_connection=None, network_excludes=None, network_includes=None, policyid=None, priority=None, status=None, users_excludeds=None)

Get an existing RuleMfa resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • enroll (pulumi.Input[str]) – When a user should be prompted for MFA. It can be "CHALLENGE", "LOGIN", or "NEVER".

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

  • users_excludeds (pulumi.Input[list]) – Set of User IDs to Exclude

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_okta.policy.RulePassword(resource_name, opts=None, name=None, network_connection=None, network_excludes=None, network_includes=None, password_change=None, password_reset=None, password_unlock=None, policyid=None, priority=None, status=None, users_excludeds=None, __props__=None, __name__=None, __opts__=None)

Creates a Password Policy Rule.

This resource allows you to create and configure a Password Policy Rule.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • password_change (pulumi.Input[str]) – Allow or deny a user to change their password: "ALLOW" or "DENY". By default it is "ALLOW".

  • password_reset (pulumi.Input[str]) – Allow or deny a user to reset their password: "ALLOW" or "DENY". By default it is "ALLOW".

  • password_unlock (pulumi.Input[str]) – Allow or deny a user to unlock: "ALLOW" or "DENY". By default it is "DENY",

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

  • users_excludeds (pulumi.Input[list]) – Set of User IDs to Exclude

name: pulumi.Output[str] = None

Policy Rule Name.

network_connection: pulumi.Output[str] = None

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

network_excludes: pulumi.Output[list] = None

The network zones to exclude. Conflicts with network_includes.

network_includes: pulumi.Output[list] = None

The network zones to include. Conflicts with network_excludes.

password_change: pulumi.Output[str] = None

Allow or deny a user to change their password: "ALLOW" or "DENY". By default it is "ALLOW".

password_reset: pulumi.Output[str] = None

Allow or deny a user to reset their password: "ALLOW" or "DENY". By default it is "ALLOW".

password_unlock: pulumi.Output[str] = None

Allow or deny a user to unlock: "ALLOW" or "DENY". By default it is "DENY",

policyid: pulumi.Output[str] = None

Policy ID.

priority: pulumi.Output[float] = None

Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

status: pulumi.Output[str] = None

Policy Rule Status: "ACTIVE" or "INACTIVE".

users_excludeds: pulumi.Output[list] = None

Set of User IDs to Exclude

static get(resource_name, id, opts=None, name=None, network_connection=None, network_excludes=None, network_includes=None, password_change=None, password_reset=None, password_unlock=None, policyid=None, priority=None, status=None, users_excludeds=None)

Get an existing RulePassword resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • password_change (pulumi.Input[str]) – Allow or deny a user to change their password: "ALLOW" or "DENY". By default it is "ALLOW".

  • password_reset (pulumi.Input[str]) – Allow or deny a user to reset their password: "ALLOW" or "DENY". By default it is "ALLOW".

  • password_unlock (pulumi.Input[str]) – Allow or deny a user to unlock: "ALLOW" or "DENY". By default it is "DENY",

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

  • users_excludeds (pulumi.Input[list]) – Set of User IDs to Exclude

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_okta.policy.RuleSignon(resource_name, opts=None, access=None, authtype=None, mfa_lifetime=None, mfa_prompt=None, mfa_remember_device=None, mfa_required=None, name=None, network_connection=None, network_excludes=None, network_includes=None, policyid=None, priority=None, session_idle=None, session_lifetime=None, session_persistent=None, status=None, users_excludeds=None, __props__=None, __name__=None, __opts__=None)

Creates a Sign On Policy Rule.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • access (pulumi.Input[str]) – Allow or deny access based on the rule conditions: "ALLOW" or "DENY". The default is "ALLOW".

  • authtype (pulumi.Input[str]) – Authentication entrypoint: "ANY" or "RADIUS".

  • mfa_lifetime (pulumi.Input[float]) – Elapsed time before the next MFA challenge.

  • mfa_prompt (pulumi.Input[str]) – Prompt for MFA based on the device used, a factor session lifetime, or every sign on attempt: "DEVICE", "SESSION" or "ALWAYS".

  • mfa_remember_device (pulumi.Input[bool]) – Remember MFA device. The default false.

  • mfa_required (pulumi.Input[bool]) – Require MFA. By default is false.

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • session_idle (pulumi.Input[float]) – Max minutes a session can be idle.”,

  • session_lifetime (pulumi.Input[float]) – Max minutes a session is active: Disable = 0.

  • session_persistent (pulumi.Input[bool]) – Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

  • users_excludeds (pulumi.Input[list]) – Set of User IDs to Exclude

access: pulumi.Output[str] = None

Allow or deny access based on the rule conditions: "ALLOW" or "DENY". The default is "ALLOW".

authtype: pulumi.Output[str] = None

Authentication entrypoint: "ANY" or "RADIUS".

mfa_lifetime: pulumi.Output[float] = None

Elapsed time before the next MFA challenge.

mfa_prompt: pulumi.Output[str] = None

Prompt for MFA based on the device used, a factor session lifetime, or every sign on attempt: "DEVICE", "SESSION" or "ALWAYS".

mfa_remember_device: pulumi.Output[bool] = None

Remember MFA device. The default false.

mfa_required: pulumi.Output[bool] = None

Require MFA. By default is false.

name: pulumi.Output[str] = None

Policy Rule Name.

network_connection: pulumi.Output[str] = None

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

network_excludes: pulumi.Output[list] = None

The network zones to exclude. Conflicts with network_includes.

network_includes: pulumi.Output[list] = None

The network zones to include. Conflicts with network_excludes.

policyid: pulumi.Output[str] = None

Policy ID.

priority: pulumi.Output[float] = None

Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

session_idle: pulumi.Output[float] = None

Max minutes a session can be idle.”,

session_lifetime: pulumi.Output[float] = None

Max minutes a session is active: Disable = 0.

session_persistent: pulumi.Output[bool] = None

Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies.

status: pulumi.Output[str] = None

Policy Rule Status: "ACTIVE" or "INACTIVE".

users_excludeds: pulumi.Output[list] = None

Set of User IDs to Exclude

static get(resource_name, id, opts=None, access=None, authtype=None, mfa_lifetime=None, mfa_prompt=None, mfa_remember_device=None, mfa_required=None, name=None, network_connection=None, network_excludes=None, network_includes=None, policyid=None, priority=None, session_idle=None, session_lifetime=None, session_persistent=None, status=None, users_excludeds=None)

Get an existing RuleSignon resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • access (pulumi.Input[str]) – Allow or deny access based on the rule conditions: "ALLOW" or "DENY". The default is "ALLOW".

  • authtype (pulumi.Input[str]) – Authentication entrypoint: "ANY" or "RADIUS".

  • mfa_lifetime (pulumi.Input[float]) – Elapsed time before the next MFA challenge.

  • mfa_prompt (pulumi.Input[str]) – Prompt for MFA based on the device used, a factor session lifetime, or every sign on attempt: "DEVICE", "SESSION" or "ALWAYS".

  • mfa_remember_device (pulumi.Input[bool]) – Remember MFA device. The default false.

  • mfa_required (pulumi.Input[bool]) – Require MFA. By default is false.

  • name (pulumi.Input[str]) – Policy Rule Name.

  • network_connection (pulumi.Input[str]) – Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

  • network_excludes (pulumi.Input[list]) – The network zones to exclude. Conflicts with network_includes.

  • network_includes (pulumi.Input[list]) – The network zones to include. Conflicts with network_excludes.

  • policyid (pulumi.Input[str]) – Policy ID.

  • priority (pulumi.Input[float]) – Policy Rule Priority, this attribute can be set to a valid priority. To avoid endless diff situation we error if an invalid priority is provided. API defaults it to the last/lowest if not there.

  • session_idle (pulumi.Input[float]) – Max minutes a session can be idle.”,

  • session_lifetime (pulumi.Input[float]) – Max minutes a session is active: Disable = 0.

  • session_persistent (pulumi.Input[bool]) – Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies.

  • status (pulumi.Input[str]) – Policy Rule Status: "ACTIVE" or "INACTIVE".

  • users_excludeds (pulumi.Input[list]) – Set of User IDs to Exclude

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_okta.policy.Signon(resource_name, opts=None, description=None, groups_includeds=None, name=None, priority=None, status=None, __props__=None, __name__=None, __opts__=None)

Creates a Sign On Policy.

This resource allows you to create and configure a Sign On Policy.

import pulumi
import pulumi_okta as okta

example = okta.policy.Signon("example",
    description="Example",
    groups_includeds=[data["group.Group"]["everyone"]["id"]],
    status="ACTIVE")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – Policy Description.

  • groups_includeds (pulumi.Input[list]) – List of Group IDs to Include.

  • name (pulumi.Input[str]) – Policy Name.

  • priority (pulumi.Input[float]) – Priority of the policy.

  • status (pulumi.Input[str]) – Policy Status: "ACTIVE" or "INACTIVE".

description: pulumi.Output[str] = None

Policy Description.

groups_includeds: pulumi.Output[list] = None

List of Group IDs to Include.

name: pulumi.Output[str] = None

Policy Name.

priority: pulumi.Output[float] = None

Priority of the policy.

status: pulumi.Output[str] = None

Policy Status: "ACTIVE" or "INACTIVE".

static get(resource_name, id, opts=None, description=None, groups_includeds=None, name=None, priority=None, status=None)

Get an existing Signon resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – Policy Description.

  • groups_includeds (pulumi.Input[list]) – List of Group IDs to Include.

  • name (pulumi.Input[str]) – Policy Name.

  • priority (pulumi.Input[float]) – Priority of the policy.

  • status (pulumi.Input[str]) – Policy Status: "ACTIVE" or "INACTIVE".

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_okta.policy.get_default_policy(type=None, opts=None)

Use this data source to retrieve a “Default” policy from Okta. This same thing can be achieved using the policy.getPolicy with name = "Default", this is simply a shortcut.

import pulumi
import pulumi_okta as okta

example = okta.policy.get_default_policy(type="PASSWORD")
Parameters

type (str) – type of policy to retrieve.

pulumi_okta.policy.get_policy(name=None, type=None, opts=None)

Use this data source to retrieve a policy from Okta.

import pulumi
import pulumi_okta as okta

example = okta.policy.get_policy(name="Password Policy Example",
    type="PASSWORD")
Parameters
  • name (str) – name of policy to retrieve.

  • type (str) – type of policy to retrieve.