Terraform Provider Fails to Update Okta MFA Policy With API Validation Error
Last Updated:
Overview
When managing an okta_policy_mfa resource using the Okta Terraform Provider, an Application Programming Interface (API) validation error occurs if an administrator removes an authenticator from the Okta Admin Console and then attempts to update the same Terraform resource. Re-adding the removed authenticator in the Okta Admin Console or deleting and recreating the policy via Terraform resolves the issue. When this failure occurs, Okta generates the following error message:
Error: failed to update MFA policy: the API returned an error: Api validation failed: settings.authenticators[3].key. Causes: errorSummary: settings.authenticators[3].key: Not one of the allowed values.
Applies To
- Okta Identity Engine (OIE)
- Okta Terraform Provider
- Application Programming Interface (API)
- Authenticators
- Multi-Factor Authentication (MFA) Enrollment Policies
Cause
When the okta_policy_mfa resource is first created, Terraform fetches all active authenticators for the org and records them in the state file, including authenticators that were not explicitly configured, stored as null.
When an authenticator is subsequently removed from the org outside of Terraform (for example, in the Okta Admin Console) and a terraform apply is run, Terraform attempts to send the full list of authenticators from state (including the now-removed one) to the Okta API. The API rejects the request because the removed authenticator key is no longer a valid value.
Solution
How is the Terraform MFA policy update error resolved?
Resolve the API validation error by re-adding the removed authenticator in the Okta Admin Console or deleting and recreating the policy via Terraform.
Re-add the removed authenticator in the Okta Admin Console.
- In the Okta Admin Console, go to Security > Authenticators > Setup.
- Re-add the authenticator that was removed. Once the authenticator is active again, Terraform updates succeed.
Delete and recreate the policy via Terraform.
If re-adding the authenticator is not feasible, remove the existing policy and let Terraform recreate it.
- Run
terraform destroy -target=okta_policy_mfa.<resource_name>to delete the existing policy. - Run
terraform applyto recreate the policy from the current Terraform configuration.
NOTE: Deleting the policy will remove any associated policy rules. Ensure all rules are defined in Terraform or backed up before proceeding, as they will need to be recreated along with the policy.
