Viewing docs for Okta v6.3.1
published on Thursday, Mar 12, 2026 by Pulumi
published on Thursday, Mar 12, 2026 by Pulumi
Viewing docs for Okta v6.3.1
published on Thursday, Mar 12, 2026 by Pulumi
published on Thursday, Mar 12, 2026 by Pulumi
#<span pulumi-lang-nodejs=" okta.app.SignonPolicyRules
" pulumi-lang-dotnet=" okta.app.SignonPolicyRules " pulumi-lang-go=" app.SignonPolicyRules " pulumi-lang-python=" app.SignonPolicyRules " pulumi-lang-yaml=" okta.app.SignonPolicyRules " pulumi-lang-java=" okta.app.SignonPolicyRules “> okta.app.SignonPolicyRules Manages multiple app sign-on policy rules for a single policy. This resource allows you to define all rules for a policy in a single configuration block, ensuring consistent priority ordering and avoiding drift issues.
IMPORTANT: This resource uses name-first matching to identify and update rules. When migrating from individual
okta.AppSignonPolicyRuleresources, ensure rule names remain consistent to enable safe adoption without data loss.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const example = new okta.app.SignonPolicyRules("example", {
policyId: exampleOktaAppSignonPolicy.id,
rules: [
{
name: "High Priority Rule",
priority: 1,
factorMode: "2FA",
reAuthenticationFrequency: "PT2H",
status: "ACTIVE",
},
{
name: "Low Priority Rule",
priority: 2,
factorMode: "1FA",
access: "ALLOW",
status: "ACTIVE",
},
{
name: "Deny Rule",
priority: 3,
access: "DENY",
status: "ACTIVE",
},
],
});
import pulumi
import pulumi_okta as okta
example = okta.app.SignonPolicyRules("example",
policy_id=example_okta_app_signon_policy["id"],
rules=[
{
"name": "High Priority Rule",
"priority": 1,
"factor_mode": "2FA",
"re_authentication_frequency": "PT2H",
"status": "ACTIVE",
},
{
"name": "Low Priority Rule",
"priority": 2,
"factor_mode": "1FA",
"access": "ALLOW",
"status": "ACTIVE",
},
{
"name": "Deny Rule",
"priority": 3,
"access": "DENY",
"status": "ACTIVE",
},
])
package main
import (
"github.com/pulumi/pulumi-okta/sdk/v6/go/okta/app"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewSignonPolicyRules(ctx, "example", &app.SignonPolicyRulesArgs{
PolicyId: pulumi.Any(exampleOktaAppSignonPolicy.Id),
Rules: app.SignonPolicyRulesRuleArray{
&app.SignonPolicyRulesRuleArgs{
Name: pulumi.String("High Priority Rule"),
Priority: pulumi.Int(1),
FactorMode: pulumi.String("2FA"),
ReAuthenticationFrequency: pulumi.String("PT2H"),
Status: pulumi.String("ACTIVE"),
},
&app.SignonPolicyRulesRuleArgs{
Name: pulumi.String("Low Priority Rule"),
Priority: pulumi.Int(2),
FactorMode: pulumi.String("1FA"),
Access: pulumi.String("ALLOW"),
Status: pulumi.String("ACTIVE"),
},
&app.SignonPolicyRulesRuleArgs{
Name: pulumi.String("Deny Rule"),
Priority: pulumi.Int(3),
Access: pulumi.String("DENY"),
Status: pulumi.String("ACTIVE"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var example = new Okta.App.SignonPolicyRules("example", new()
{
PolicyId = exampleOktaAppSignonPolicy.Id,
Rules = new[]
{
new Okta.App.Inputs.SignonPolicyRulesRuleArgs
{
Name = "High Priority Rule",
Priority = 1,
FactorMode = "2FA",
ReAuthenticationFrequency = "PT2H",
Status = "ACTIVE",
},
new Okta.App.Inputs.SignonPolicyRulesRuleArgs
{
Name = "Low Priority Rule",
Priority = 2,
FactorMode = "1FA",
Access = "ALLOW",
Status = "ACTIVE",
},
new Okta.App.Inputs.SignonPolicyRulesRuleArgs
{
Name = "Deny Rule",
Priority = 3,
Access = "DENY",
Status = "ACTIVE",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.SignonPolicyRules;
import com.pulumi.okta.app.SignonPolicyRulesArgs;
import com.pulumi.okta.app.inputs.SignonPolicyRulesRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new SignonPolicyRules("example", SignonPolicyRulesArgs.builder()
.policyId(exampleOktaAppSignonPolicy.id())
.rules(
SignonPolicyRulesRuleArgs.builder()
.name("High Priority Rule")
.priority(1)
.factorMode("2FA")
.reAuthenticationFrequency("PT2H")
.status("ACTIVE")
.build(),
SignonPolicyRulesRuleArgs.builder()
.name("Low Priority Rule")
.priority(2)
.factorMode("1FA")
.access("ALLOW")
.status("ACTIVE")
.build(),
SignonPolicyRulesRuleArgs.builder()
.name("Deny Rule")
.priority(3)
.access("DENY")
.status("ACTIVE")
.build())
.build());
}
}
resources:
example:
type: okta:app:SignonPolicyRules
properties:
policyId: ${exampleOktaAppSignonPolicy.id}
rules:
- name: High Priority Rule
priority: 1
factorMode: 2FA
reAuthenticationFrequency: PT2H
status: ACTIVE
- name: Low Priority Rule
priority: 2
factorMode: 1FA
access: ALLOW
status: ACTIVE
- name: Deny Rule
priority: 3
access: DENY
status: ACTIVE
Priority Management
IMPORTANT: When managing priorities, follow Okta’s top-down synchronization strategy to avoid automatic priority shifting. Always update rules in priority order (P1 → PN) to prevent cascading shifts.
Priority Behavior
- Priorities are 0-indexed but can be any positive integer.
- When you omit
priorityin config, Terraform will display the actual priority assigned by Okta in the state. - Okta allows gaps in priorities (e.g., priorities 1, 2, 5, 99 are valid).
- Maximum of 99 rules per policy: You can define up to 99 custom rules. Priority 99 is reserved for the system Catch-all Rule.
- If you update multiple rules simultaneously and priorities conflict, Okta may automatically shift priorities to resolve conflicts. To prevent this:
- Use explicit, sequential priority values (1, 2, 3, 4, 5).
- Avoid updating rules with the same priority.
- Consider using temporary high priorities (100+) if reordering is needed.
System Rules and Catch-all Rule
- Catch-all Rule: Every policy includes a system-level Catch-all Rule with priority 99. This is the default rule that applies if no other rules match.
- Immutable: System rules (like “Catch-all Rule”) cannot be modified, deleted, or have their conditions/priorities changed.
- Import behavior: If you import a policy with a Catch-all Rule, it will appear in your state but cannot be managed by Terraform. Omit it from your configuration.
Migration from<span pulumi-lang-nodejs=” okta.AppSignonPolicyRule
" pulumi-lang-dotnet=" okta.AppSignonPolicyRule
" pulumi-lang-go=" AppSignonPolicyRule
" pulumi-lang-python=" AppSignonPolicyRule
" pulumi-lang-yaml=" okta.AppSignonPolicyRule
" pulumi-lang-java=" okta.AppSignonPolicyRule
“> okta.AppSignonPolicyRule
If you currently use multiple individual okta.AppSignonPolicyRule resources, follow these steps to safely migrate to the grouped resource:
Step 1: Backup Your State
pulumi state pull > terraform-state-backup.json
Step 2: Identify Rule IDs and Names
List all rules in your policy to identify their IDs and names:
# Using Terraform state
pulumi state show 'okta_app_signon_policy_rule.rule1'
Step 4: Create the Grouped Resource Configuration
Create a new okta.app.SignonPolicyRules resource with the same rules. Use rule names as the matching key (do NOT include id unless adopting an existing rule):
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const migrated = new okta.app.SignonPolicyRules("migrated", {
policyId: myPolicy.id,
rules: [
{
name: "High Priority Rule",
priority: 1,
factorMode: "2FA",
reAuthenticationFrequency: "PT2H",
status: "ACTIVE",
},
{
name: "Second Rule",
priority: 2,
factorMode: "1FA",
status: "ACTIVE",
},
{
name: "Deny Rule",
priority: 3,
access: "DENY",
status: "ACTIVE",
},
],
});
import pulumi
import pulumi_okta as okta
migrated = okta.app.SignonPolicyRules("migrated",
policy_id=my_policy["id"],
rules=[
{
"name": "High Priority Rule",
"priority": 1,
"factor_mode": "2FA",
"re_authentication_frequency": "PT2H",
"status": "ACTIVE",
},
{
"name": "Second Rule",
"priority": 2,
"factor_mode": "1FA",
"status": "ACTIVE",
},
{
"name": "Deny Rule",
"priority": 3,
"access": "DENY",
"status": "ACTIVE",
},
])
package main
import (
"github.com/pulumi/pulumi-okta/sdk/v6/go/okta/app"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewSignonPolicyRules(ctx, "migrated", &app.SignonPolicyRulesArgs{
PolicyId: pulumi.Any(myPolicy.Id),
Rules: app.SignonPolicyRulesRuleArray{
&app.SignonPolicyRulesRuleArgs{
Name: pulumi.String("High Priority Rule"),
Priority: pulumi.Int(1),
FactorMode: pulumi.String("2FA"),
ReAuthenticationFrequency: pulumi.String("PT2H"),
Status: pulumi.String("ACTIVE"),
},
&app.SignonPolicyRulesRuleArgs{
Name: pulumi.String("Second Rule"),
Priority: pulumi.Int(2),
FactorMode: pulumi.String("1FA"),
Status: pulumi.String("ACTIVE"),
},
&app.SignonPolicyRulesRuleArgs{
Name: pulumi.String("Deny Rule"),
Priority: pulumi.Int(3),
Access: pulumi.String("DENY"),
Status: pulumi.String("ACTIVE"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var migrated = new Okta.App.SignonPolicyRules("migrated", new()
{
PolicyId = myPolicy.Id,
Rules = new[]
{
new Okta.App.Inputs.SignonPolicyRulesRuleArgs
{
Name = "High Priority Rule",
Priority = 1,
FactorMode = "2FA",
ReAuthenticationFrequency = "PT2H",
Status = "ACTIVE",
},
new Okta.App.Inputs.SignonPolicyRulesRuleArgs
{
Name = "Second Rule",
Priority = 2,
FactorMode = "1FA",
Status = "ACTIVE",
},
new Okta.App.Inputs.SignonPolicyRulesRuleArgs
{
Name = "Deny Rule",
Priority = 3,
Access = "DENY",
Status = "ACTIVE",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.SignonPolicyRules;
import com.pulumi.okta.app.SignonPolicyRulesArgs;
import com.pulumi.okta.app.inputs.SignonPolicyRulesRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var migrated = new SignonPolicyRules("migrated", SignonPolicyRulesArgs.builder()
.policyId(myPolicy.id())
.rules(
SignonPolicyRulesRuleArgs.builder()
.name("High Priority Rule")
.priority(1)
.factorMode("2FA")
.reAuthenticationFrequency("PT2H")
.status("ACTIVE")
.build(),
SignonPolicyRulesRuleArgs.builder()
.name("Second Rule")
.priority(2)
.factorMode("1FA")
.status("ACTIVE")
.build(),
SignonPolicyRulesRuleArgs.builder()
.name("Deny Rule")
.priority(3)
.access("DENY")
.status("ACTIVE")
.build())
.build());
}
}
resources:
migrated:
type: okta:app:SignonPolicyRules
properties:
policyId: ${myPolicy.id}
rules:
- name: High Priority Rule
priority: 1
factorMode: 2FA
reAuthenticationFrequency: PT2H
status: ACTIVE
- name: Second Rule
priority: 2
factorMode: 1FA
status: ACTIVE
- name: Deny Rule
priority: 3
access: DENY
status: ACTIVE
Step 5: Plan and Verify
Run pulumi preview to see if any changes will be made:
pulumi preview -out migration.tfplan
Expected outcome: Either “No changes” or only legitimate config updates. If the plan shows unexpected deletes or recreates:
- Verify rule names match exactly (case-sensitive).
- Check that attributes (access, factor_mode, etc.) match Okta’s current state.
- Ensure you’re not declaring system rules (e.g., Catch-all Rule).
Step 6: Apply the Migration
pulumi up migration.tfplan
Step 6: Verify Final State
pulumi preview
# Output should show: No changes. Your infrastructure matches the configuration.
Create SignonPolicyRules Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SignonPolicyRules(name: string, args: SignonPolicyRulesArgs, opts?: CustomResourceOptions);@overload
def SignonPolicyRules(resource_name: str,
args: SignonPolicyRulesArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SignonPolicyRules(resource_name: str,
opts: Optional[ResourceOptions] = None,
policy_id: Optional[str] = None,
rules: Optional[Sequence[SignonPolicyRulesRuleArgs]] = None)func NewSignonPolicyRules(ctx *Context, name string, args SignonPolicyRulesArgs, opts ...ResourceOption) (*SignonPolicyRules, error)public SignonPolicyRules(string name, SignonPolicyRulesArgs args, CustomResourceOptions? opts = null)
public SignonPolicyRules(String name, SignonPolicyRulesArgs args)
public SignonPolicyRules(String name, SignonPolicyRulesArgs args, CustomResourceOptions options)
type: okta:app:SignonPolicyRules
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SignonPolicyRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SignonPolicyRulesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SignonPolicyRulesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SignonPolicyRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SignonPolicyRulesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var signonPolicyRulesResource = new Okta.App.SignonPolicyRules("signonPolicyRulesResource", new()
{
PolicyId = "string",
Rules = new[]
{
new Okta.App.Inputs.SignonPolicyRulesRuleArgs
{
Name = "string",
NetworkConnection = "string",
UserTypesExcludeds = new[]
{
"string",
},
DeviceAssurancesIncludeds = new[]
{
"string",
},
DeviceIsManaged = false,
DeviceIsRegistered = false,
FactorMode = "string",
GroupsExcludeds = new[]
{
"string",
},
GroupsIncludeds = new[]
{
"string",
},
Id = "string",
InactivityPeriod = "string",
Constraints = new[]
{
"string",
},
Access = "string",
CustomExpression = "string",
PlatformIncludes = new[]
{
new Okta.App.Inputs.SignonPolicyRulesRulePlatformIncludeArgs
{
OsExpression = "string",
OsType = "string",
Type = "string",
},
},
NetworkExcludes = new[]
{
"string",
},
Priority = 0,
ReAuthenticationFrequency = "string",
RiskScore = "string",
Status = "string",
System = false,
Type = "string",
NetworkIncludes = new[]
{
"string",
},
UserTypesIncludeds = new[]
{
"string",
},
UsersExcludeds = new[]
{
"string",
},
UsersIncludeds = new[]
{
"string",
},
},
},
});
example, err := app.NewSignonPolicyRules(ctx, "signonPolicyRulesResource", &app.SignonPolicyRulesArgs{
PolicyId: pulumi.String("string"),
Rules: app.SignonPolicyRulesRuleArray{
&app.SignonPolicyRulesRuleArgs{
Name: pulumi.String("string"),
NetworkConnection: pulumi.String("string"),
UserTypesExcludeds: pulumi.StringArray{
pulumi.String("string"),
},
DeviceAssurancesIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
DeviceIsManaged: pulumi.Bool(false),
DeviceIsRegistered: pulumi.Bool(false),
FactorMode: pulumi.String("string"),
GroupsExcludeds: pulumi.StringArray{
pulumi.String("string"),
},
GroupsIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
Id: pulumi.String("string"),
InactivityPeriod: pulumi.String("string"),
Constraints: pulumi.StringArray{
pulumi.String("string"),
},
Access: pulumi.String("string"),
CustomExpression: pulumi.String("string"),
PlatformIncludes: app.SignonPolicyRulesRulePlatformIncludeArray{
&app.SignonPolicyRulesRulePlatformIncludeArgs{
OsExpression: pulumi.String("string"),
OsType: pulumi.String("string"),
Type: pulumi.String("string"),
},
},
NetworkExcludes: pulumi.StringArray{
pulumi.String("string"),
},
Priority: pulumi.Int(0),
ReAuthenticationFrequency: pulumi.String("string"),
RiskScore: pulumi.String("string"),
Status: pulumi.String("string"),
System: pulumi.Bool(false),
Type: pulumi.String("string"),
NetworkIncludes: pulumi.StringArray{
pulumi.String("string"),
},
UserTypesIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
UsersExcludeds: pulumi.StringArray{
pulumi.String("string"),
},
UsersIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
},
},
})
var signonPolicyRulesResource = new SignonPolicyRules("signonPolicyRulesResource", SignonPolicyRulesArgs.builder()
.policyId("string")
.rules(SignonPolicyRulesRuleArgs.builder()
.name("string")
.networkConnection("string")
.userTypesExcludeds("string")
.deviceAssurancesIncludeds("string")
.deviceIsManaged(false)
.deviceIsRegistered(false)
.factorMode("string")
.groupsExcludeds("string")
.groupsIncludeds("string")
.id("string")
.inactivityPeriod("string")
.constraints("string")
.access("string")
.customExpression("string")
.platformIncludes(SignonPolicyRulesRulePlatformIncludeArgs.builder()
.osExpression("string")
.osType("string")
.type("string")
.build())
.networkExcludes("string")
.priority(0)
.reAuthenticationFrequency("string")
.riskScore("string")
.status("string")
.system(false)
.type("string")
.networkIncludes("string")
.userTypesIncludeds("string")
.usersExcludeds("string")
.usersIncludeds("string")
.build())
.build());
signon_policy_rules_resource = okta.app.SignonPolicyRules("signonPolicyRulesResource",
policy_id="string",
rules=[{
"name": "string",
"network_connection": "string",
"user_types_excludeds": ["string"],
"device_assurances_includeds": ["string"],
"device_is_managed": False,
"device_is_registered": False,
"factor_mode": "string",
"groups_excludeds": ["string"],
"groups_includeds": ["string"],
"id": "string",
"inactivity_period": "string",
"constraints": ["string"],
"access": "string",
"custom_expression": "string",
"platform_includes": [{
"os_expression": "string",
"os_type": "string",
"type": "string",
}],
"network_excludes": ["string"],
"priority": 0,
"re_authentication_frequency": "string",
"risk_score": "string",
"status": "string",
"system": False,
"type": "string",
"network_includes": ["string"],
"user_types_includeds": ["string"],
"users_excludeds": ["string"],
"users_includeds": ["string"],
}])
const signonPolicyRulesResource = new okta.app.SignonPolicyRules("signonPolicyRulesResource", {
policyId: "string",
rules: [{
name: "string",
networkConnection: "string",
userTypesExcludeds: ["string"],
deviceAssurancesIncludeds: ["string"],
deviceIsManaged: false,
deviceIsRegistered: false,
factorMode: "string",
groupsExcludeds: ["string"],
groupsIncludeds: ["string"],
id: "string",
inactivityPeriod: "string",
constraints: ["string"],
access: "string",
customExpression: "string",
platformIncludes: [{
osExpression: "string",
osType: "string",
type: "string",
}],
networkExcludes: ["string"],
priority: 0,
reAuthenticationFrequency: "string",
riskScore: "string",
status: "string",
system: false,
type: "string",
networkIncludes: ["string"],
userTypesIncludeds: ["string"],
usersExcludeds: ["string"],
usersIncludeds: ["string"],
}],
});
type: okta:app:SignonPolicyRules
properties:
policyId: string
rules:
- access: string
constraints:
- string
customExpression: string
deviceAssurancesIncludeds:
- string
deviceIsManaged: false
deviceIsRegistered: false
factorMode: string
groupsExcludeds:
- string
groupsIncludeds:
- string
id: string
inactivityPeriod: string
name: string
networkConnection: string
networkExcludes:
- string
networkIncludes:
- string
platformIncludes:
- osExpression: string
osType: string
type: string
priority: 0
reAuthenticationFrequency: string
riskScore: string
status: string
system: false
type: string
userTypesExcludeds:
- string
userTypesIncludeds:
- string
usersExcludeds:
- string
usersIncludeds:
- string
SignonPolicyRules Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SignonPolicyRules resource accepts the following input properties:
- Policy
Id string - ID of the policy to manage rules for.
- Rules
List<Signon
Policy Rules Rule> - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- Policy
Id string - ID of the policy to manage rules for.
- Rules
[]Signon
Policy Rules Rule Args - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy
Id String - ID of the policy to manage rules for.
- rules
List<Signon
Policy Rules Rule> - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy
Id string - ID of the policy to manage rules for.
- rules
Signon
Policy Rules Rule[] - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy_
id str - ID of the policy to manage rules for.
- rules
Sequence[Signon
Policy Rules Rule Args] - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy
Id String - ID of the policy to manage rules for.
- rules List<Property Map>
- List of policy rules. Rules are processed in priority order (lowest number = highest priority).
Outputs
All input properties are implicitly available as output properties. Additionally, the SignonPolicyRules resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SignonPolicyRules Resource
Get an existing SignonPolicyRules resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SignonPolicyRulesState, opts?: CustomResourceOptions): SignonPolicyRules@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
policy_id: Optional[str] = None,
rules: Optional[Sequence[SignonPolicyRulesRuleArgs]] = None) -> SignonPolicyRulesfunc GetSignonPolicyRules(ctx *Context, name string, id IDInput, state *SignonPolicyRulesState, opts ...ResourceOption) (*SignonPolicyRules, error)public static SignonPolicyRules Get(string name, Input<string> id, SignonPolicyRulesState? state, CustomResourceOptions? opts = null)public static SignonPolicyRules get(String name, Output<String> id, SignonPolicyRulesState state, CustomResourceOptions options)resources: _: type: okta:app:SignonPolicyRules get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Policy
Id string - ID of the policy to manage rules for.
- Rules
List<Signon
Policy Rules Rule> - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- Policy
Id string - ID of the policy to manage rules for.
- Rules
[]Signon
Policy Rules Rule Args - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy
Id String - ID of the policy to manage rules for.
- rules
List<Signon
Policy Rules Rule> - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy
Id string - ID of the policy to manage rules for.
- rules
Signon
Policy Rules Rule[] - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy_
id str - ID of the policy to manage rules for.
- rules
Sequence[Signon
Policy Rules Rule Args] - List of policy rules. Rules are processed in priority order (lowest number = highest priority).
- policy
Id String - ID of the policy to manage rules for.
- rules List<Property Map>
- List of policy rules. Rules are processed in priority order (lowest number = highest priority).
Supporting Types
SignonPolicyRulesRule, SignonPolicyRulesRuleArgs
- Name string
- Policy Rule Name. Must be unique within the policy.
- Access string
- Access decision: ALLOW or DENY.
- Constraints List<string>
- List of authenticator constraints as JSON-encoded strings.
- Custom
Expression string - Custom Okta Expression Language condition for advanced matching.
- Device
Assurances List<string>Includeds - Set of device assurance policy IDs to include.
- Device
Is boolManaged - Require device to be managed by a device management system.
- Device
Is boolRegistered - Require device to be registered with Okta Verify.
- Factor
Mode string - Number of factors required: 1FA or 2FA.
- Groups
Excludeds List<string> - Set of group IDs to exclude from this rule.
- Groups
Includeds List<string> - Set of group IDs to include in this rule.
- Id string
- (String) - The ID of this resource (same as
policy_id). - Inactivity
Period string - Inactivity period before re-authentication in ISO 8601 duration format.
- Network
Connection string - Network selection mode: ANYWHERE, ZONE, ON_NETWORK, or OFF_NETWORK.
- Network
Excludes List<string> - List of network zone IDs to exclude.
- Network
Includes List<string> - List of network zone IDs to include.
- Platform
Includes List<SignonPolicy Rules Rule Platform Include> - Platform conditions to include.
- Priority int
- Priority of the rule. Lower numbers are evaluated first.
- Re
Authentication stringFrequency - Re-authentication frequency in ISO 8601 duration format (e.g., PT2H for 2 hours).
- Risk
Score string - Risk score level to match: ANY, LOW, MEDIUM, or HIGH.
- Status string
- Status of the rule: ACTIVE or INACTIVE.
- System bool
- Whether this is a system rule (e.g., Catch-all Rule). System rules cannot be modified.
- Type string
- Verification method type.
- User
Types List<string>Excludeds - Set of user type IDs to exclude.
- User
Types List<string>Includeds - Set of user type IDs to include.
- Users
Excludeds List<string> - Set of user IDs to exclude from this rule.
- Users
Includeds List<string> - Set of user IDs to include in this rule.
- Name string
- Policy Rule Name. Must be unique within the policy.
- Access string
- Access decision: ALLOW or DENY.
- Constraints []string
- List of authenticator constraints as JSON-encoded strings.
- Custom
Expression string - Custom Okta Expression Language condition for advanced matching.
- Device
Assurances []stringIncludeds - Set of device assurance policy IDs to include.
- Device
Is boolManaged - Require device to be managed by a device management system.
- Device
Is boolRegistered - Require device to be registered with Okta Verify.
- Factor
Mode string - Number of factors required: 1FA or 2FA.
- Groups
Excludeds []string - Set of group IDs to exclude from this rule.
- Groups
Includeds []string - Set of group IDs to include in this rule.
- Id string
- (String) - The ID of this resource (same as
policy_id). - Inactivity
Period string - Inactivity period before re-authentication in ISO 8601 duration format.
- Network
Connection string - Network selection mode: ANYWHERE, ZONE, ON_NETWORK, or OFF_NETWORK.
- Network
Excludes []string - List of network zone IDs to exclude.
- Network
Includes []string - List of network zone IDs to include.
- Platform
Includes []SignonPolicy Rules Rule Platform Include - Platform conditions to include.
- Priority int
- Priority of the rule. Lower numbers are evaluated first.
- Re
Authentication stringFrequency - Re-authentication frequency in ISO 8601 duration format (e.g., PT2H for 2 hours).
- Risk
Score string - Risk score level to match: ANY, LOW, MEDIUM, or HIGH.
- Status string
- Status of the rule: ACTIVE or INACTIVE.
- System bool
- Whether this is a system rule (e.g., Catch-all Rule). System rules cannot be modified.
- Type string
- Verification method type.
- User
Types []stringExcludeds - Set of user type IDs to exclude.
- User
Types []stringIncludeds - Set of user type IDs to include.
- Users
Excludeds []string - Set of user IDs to exclude from this rule.
- Users
Includeds []string - Set of user IDs to include in this rule.
- name String
- Policy Rule Name. Must be unique within the policy.
- access String
- Access decision: ALLOW or DENY.
- constraints List<String>
- List of authenticator constraints as JSON-encoded strings.
- custom
Expression String - Custom Okta Expression Language condition for advanced matching.
- device
Assurances List<String>Includeds - Set of device assurance policy IDs to include.
- device
Is BooleanManaged - Require device to be managed by a device management system.
- device
Is BooleanRegistered - Require device to be registered with Okta Verify.
- factor
Mode String - Number of factors required: 1FA or 2FA.
- groups
Excludeds List<String> - Set of group IDs to exclude from this rule.
- groups
Includeds List<String> - Set of group IDs to include in this rule.
- id String
- (String) - The ID of this resource (same as
policy_id). - inactivity
Period String - Inactivity period before re-authentication in ISO 8601 duration format.
- network
Connection String - Network selection mode: ANYWHERE, ZONE, ON_NETWORK, or OFF_NETWORK.
- network
Excludes List<String> - List of network zone IDs to exclude.
- network
Includes List<String> - List of network zone IDs to include.
- platform
Includes List<SignonPolicy Rules Rule Platform Include> - Platform conditions to include.
- priority Integer
- Priority of the rule. Lower numbers are evaluated first.
- re
Authentication StringFrequency - Re-authentication frequency in ISO 8601 duration format (e.g., PT2H for 2 hours).
- risk
Score String - Risk score level to match: ANY, LOW, MEDIUM, or HIGH.
- status String
- Status of the rule: ACTIVE or INACTIVE.
- system Boolean
- Whether this is a system rule (e.g., Catch-all Rule). System rules cannot be modified.
- type String
- Verification method type.
- user
Types List<String>Excludeds - Set of user type IDs to exclude.
- user
Types List<String>Includeds - Set of user type IDs to include.
- users
Excludeds List<String> - Set of user IDs to exclude from this rule.
- users
Includeds List<String> - Set of user IDs to include in this rule.
- name string
- Policy Rule Name. Must be unique within the policy.
- access string
- Access decision: ALLOW or DENY.
- constraints string[]
- List of authenticator constraints as JSON-encoded strings.
- custom
Expression string - Custom Okta Expression Language condition for advanced matching.
- device
Assurances string[]Includeds - Set of device assurance policy IDs to include.
- device
Is booleanManaged - Require device to be managed by a device management system.
- device
Is booleanRegistered - Require device to be registered with Okta Verify.
- factor
Mode string - Number of factors required: 1FA or 2FA.
- groups
Excludeds string[] - Set of group IDs to exclude from this rule.
- groups
Includeds string[] - Set of group IDs to include in this rule.
- id string
- (String) - The ID of this resource (same as
policy_id). - inactivity
Period string - Inactivity period before re-authentication in ISO 8601 duration format.
- network
Connection string - Network selection mode: ANYWHERE, ZONE, ON_NETWORK, or OFF_NETWORK.
- network
Excludes string[] - List of network zone IDs to exclude.
- network
Includes string[] - List of network zone IDs to include.
- platform
Includes SignonPolicy Rules Rule Platform Include[] - Platform conditions to include.
- priority number
- Priority of the rule. Lower numbers are evaluated first.
- re
Authentication stringFrequency - Re-authentication frequency in ISO 8601 duration format (e.g., PT2H for 2 hours).
- risk
Score string - Risk score level to match: ANY, LOW, MEDIUM, or HIGH.
- status string
- Status of the rule: ACTIVE or INACTIVE.
- system boolean
- Whether this is a system rule (e.g., Catch-all Rule). System rules cannot be modified.
- type string
- Verification method type.
- user
Types string[]Excludeds - Set of user type IDs to exclude.
- user
Types string[]Includeds - Set of user type IDs to include.
- users
Excludeds string[] - Set of user IDs to exclude from this rule.
- users
Includeds string[] - Set of user IDs to include in this rule.
- name str
- Policy Rule Name. Must be unique within the policy.
- access str
- Access decision: ALLOW or DENY.
- constraints Sequence[str]
- List of authenticator constraints as JSON-encoded strings.
- custom_
expression str - Custom Okta Expression Language condition for advanced matching.
- device_
assurances_ Sequence[str]includeds - Set of device assurance policy IDs to include.
- device_
is_ boolmanaged - Require device to be managed by a device management system.
- device_
is_ boolregistered - Require device to be registered with Okta Verify.
- factor_
mode str - Number of factors required: 1FA or 2FA.
- groups_
excludeds Sequence[str] - Set of group IDs to exclude from this rule.
- groups_
includeds Sequence[str] - Set of group IDs to include in this rule.
- id str
- (String) - The ID of this resource (same as
policy_id). - inactivity_
period str - Inactivity period before re-authentication in ISO 8601 duration format.
- network_
connection str - Network selection mode: ANYWHERE, ZONE, ON_NETWORK, or OFF_NETWORK.
- network_
excludes Sequence[str] - List of network zone IDs to exclude.
- network_
includes Sequence[str] - List of network zone IDs to include.
- platform_
includes Sequence[SignonPolicy Rules Rule Platform Include] - Platform conditions to include.
- priority int
- Priority of the rule. Lower numbers are evaluated first.
- re_
authentication_ strfrequency - Re-authentication frequency in ISO 8601 duration format (e.g., PT2H for 2 hours).
- risk_
score str - Risk score level to match: ANY, LOW, MEDIUM, or HIGH.
- status str
- Status of the rule: ACTIVE or INACTIVE.
- system bool
- Whether this is a system rule (e.g., Catch-all Rule). System rules cannot be modified.
- type str
- Verification method type.
- user_
types_ Sequence[str]excludeds - Set of user type IDs to exclude.
- user_
types_ Sequence[str]includeds - Set of user type IDs to include.
- users_
excludeds Sequence[str] - Set of user IDs to exclude from this rule.
- users_
includeds Sequence[str] - Set of user IDs to include in this rule.
- name String
- Policy Rule Name. Must be unique within the policy.
- access String
- Access decision: ALLOW or DENY.
- constraints List<String>
- List of authenticator constraints as JSON-encoded strings.
- custom
Expression String - Custom Okta Expression Language condition for advanced matching.
- device
Assurances List<String>Includeds - Set of device assurance policy IDs to include.
- device
Is BooleanManaged - Require device to be managed by a device management system.
- device
Is BooleanRegistered - Require device to be registered with Okta Verify.
- factor
Mode String - Number of factors required: 1FA or 2FA.
- groups
Excludeds List<String> - Set of group IDs to exclude from this rule.
- groups
Includeds List<String> - Set of group IDs to include in this rule.
- id String
- (String) - The ID of this resource (same as
policy_id). - inactivity
Period String - Inactivity period before re-authentication in ISO 8601 duration format.
- network
Connection String - Network selection mode: ANYWHERE, ZONE, ON_NETWORK, or OFF_NETWORK.
- network
Excludes List<String> - List of network zone IDs to exclude.
- network
Includes List<String> - List of network zone IDs to include.
- platform
Includes List<Property Map> - Platform conditions to include.
- priority Number
- Priority of the rule. Lower numbers are evaluated first.
- re
Authentication StringFrequency - Re-authentication frequency in ISO 8601 duration format (e.g., PT2H for 2 hours).
- risk
Score String - Risk score level to match: ANY, LOW, MEDIUM, or HIGH.
- status String
- Status of the rule: ACTIVE or INACTIVE.
- system Boolean
- Whether this is a system rule (e.g., Catch-all Rule). System rules cannot be modified.
- type String
- Verification method type.
- user
Types List<String>Excludeds - Set of user type IDs to exclude.
- user
Types List<String>Includeds - Set of user type IDs to include.
- users
Excludeds List<String> - Set of user IDs to exclude from this rule.
- users
Includeds List<String> - Set of user IDs to include in this rule.
SignonPolicyRulesRulePlatformInclude, SignonPolicyRulesRulePlatformIncludeArgs
- Os
Expression string - Custom OS expression for advanced matching.
- Os
Type string - OS type: ANY, IOS, ANDROID, WINDOWS, OSX, MACOS, CHROMEOS, or OTHER.
- Type string
- Platform type: ANY, MOBILE, or DESKTOP.
- Os
Expression string - Custom OS expression for advanced matching.
- Os
Type string - OS type: ANY, IOS, ANDROID, WINDOWS, OSX, MACOS, CHROMEOS, or OTHER.
- Type string
- Platform type: ANY, MOBILE, or DESKTOP.
- os
Expression String - Custom OS expression for advanced matching.
- os
Type String - OS type: ANY, IOS, ANDROID, WINDOWS, OSX, MACOS, CHROMEOS, or OTHER.
- type String
- Platform type: ANY, MOBILE, or DESKTOP.
- os
Expression string - Custom OS expression for advanced matching.
- os
Type string - OS type: ANY, IOS, ANDROID, WINDOWS, OSX, MACOS, CHROMEOS, or OTHER.
- type string
- Platform type: ANY, MOBILE, or DESKTOP.
- os_
expression str - Custom OS expression for advanced matching.
- os_
type str - OS type: ANY, IOS, ANDROID, WINDOWS, OSX, MACOS, CHROMEOS, or OTHER.
- type str
- Platform type: ANY, MOBILE, or DESKTOP.
- os
Expression String - Custom OS expression for advanced matching.
- os
Type String - OS type: ANY, IOS, ANDROID, WINDOWS, OSX, MACOS, CHROMEOS, or OTHER.
- type String
- Platform type: ANY, MOBILE, or DESKTOP.
Import
ant Migration Notes
Priority Differences
When migrating from okta.AppSignonPolicyRule (single-rule resource) to okta.app.SignonPolicyRules (grouped resource):
- Old behavior: Single-rule resource defaults to
priority = 0in Terraform state, even if Okta assigned a different priority. - New behavior: Grouped resource reflects the actual priority assigned by Okta. When you omit
priority, the state will show the real Okta-assigned priority.
Action: Explicitly set priority values in your configuration to avoid unexpected changes during migration.
Name-First Matching
The grouped resource matches rules by name first, not by ID:
- If you rename a rule in config, the provider will match it to the existing rule by the new name.
- If a name doesn’t exist in Okta, a new rule is created.
- This design prevents accidental re-matching when state order differs from config order.
System Rules
System rules (e.g., “Catch-all Rule”) cannot be managed:
- If your policy has a system rule, do NOT declare it in your configuration.
- The provider will detect it during import/read but will not attempt to modify or delete it.
- System rules are read-only from Terraform’s perspective.
Troubleshooting
Plan shows “1 to change” but config matches Okta
Cause: State and config rule order differ, triggering re-matching.
Solution: Verify rule names match exactly (case-sensitive) and attributes are correct. Run pulumi preview -refresh=true to refresh state from Okta.
Priorities shift unexpectedly after apply
Cause: Okta automatically shifts priorities when updates conflict. This is expected behavior per Okta’s prioritization rules.
Solution: Use explicit, sequential priorities (1, 2, 3, …) instead of 0-indexed or sparse values. Avoid updating multiple rules simultaneously with overlapping priorities.
Error: “System rule cannot be modified”
Cause: You attempted to set conditions on a system rule (Catch-all Rule).
Solution: Remove the system rule from your configuration. System rules are immutable.
See Also
- okta.AppSignonPolicy - Create and manage app sign-on policies.
- Okta Policy Rule Prioritization Guide - Learn about priority management and top-down synchronization.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Okta pulumi/pulumi-okta
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
oktaTerraform Provider.
Viewing docs for Okta v6.3.1
published on Thursday, Mar 12, 2026 by Pulumi
published on Thursday, Mar 12, 2026 by Pulumi
