<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Terraform Provider Fails to Update Okta MFA Policy With API Validation Error

Okta Identity Engine
SDKs & Libraries

Overview

When managing an okta_policy_mfa resource using the Okta Terraform Provider, an Application Programming Interface (API) validation error occurs if an administrator removes an authenticator from the Okta Admin Console and then attempts to update the same Terraform resource. Re-adding the removed authenticator in the Okta Admin Console or deleting and recreating the policy via Terraform resolves the issue. When this failure occurs, Okta generates the following error message:

 

Error: failed to update MFA policy: the API returned an error: Api validation failed: settings.authenticators[3].key. Causes: errorSummary: settings.authenticators[3].key: Not one of the allowed values.

 

Applies To

  • Okta Identity Engine (OIE)
  • Okta Terraform Provider
  • Application Programming Interface (API)
  • Authenticators
  • Multi-Factor Authentication (MFA) Enrollment Policies

Cause

When the okta_policy_mfa resource is first created, Terraform fetches all active authenticators for the org and records them in the state file, including authenticators that were not explicitly configured, stored as null.

okta email  

When an authenticator is subsequently removed from the org outside of Terraform (for example, in the Okta Admin Console) and a terraform apply is run, Terraform attempts to send the full list of authenticators from state (including the now-removed one) to the Okta API. The API rejects the request because the removed authenticator key is no longer a valid value.

Solution

How is the Terraform MFA policy update error resolved?

Resolve the API validation error by re-adding the removed authenticator in the Okta Admin Console or deleting and recreating the policy via Terraform.

 

Re-add the removed authenticator in the Okta Admin Console.

  1. In the Okta Admin Console, go to Security > Authenticators > Setup.
  2. Re-add the authenticator that was removed. Once the authenticator is active again, Terraform updates succeed.

Delete and recreate the policy via Terraform.
If re-adding the authenticator is not feasible, remove the existing policy and let Terraform recreate it.

  1. Run terraform destroy -target=okta_policy_mfa.<resource_name> to delete the existing policy.
  2. Run terraform apply to recreate the policy from the current Terraform configuration.

 

NOTE: Deleting the policy will remove any associated policy rules. Ensure all rules are defined in Terraform or backed up before proceeding, as they will need to be recreated along with the policy.

 

Related References

Loading
Okta Support - Terraform Provider Fails to Update Okta MFA Policy With API Validation Error