Skip to content

Latest commit

 

History

History

global-session-policy

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
rules.tf
rules.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

global-session-policy

This module creates following resources.

  • okta_policy_signon
  • okta_policy_rule_signon (optional)

Requirements

Name Version
terraform >= 1.8
okta >= 4.8

Providers

Name Version
okta 4.8.1

Modules

No modules.

Resources

Name Type
okta_policy_rule_signon.this resource
okta_policy_signon.this resource
okta_group.this data source

Inputs

Name Description Type Default Required
name (Required) A name of the Okta Global Session Policy. string n/a yes
description (Optional) A description of the Okta Global Session Policy. string "Managed by Terraform." no
enabled (Optional) Whether to enable the Okta Global Session Policy. Defaults to true. bool true no
groups (Optional) A set of group IDs to assign the Okta Global Session Policy to. set(string) [] no
priority (Optional) A priority of the Okta Global Session Policy. number null no
rules (Optional) A configuration for rules of the Okta Global Session Policy. Each item of rules block as defined below.
(Required) name - A name of the global session policy rule.
(Optional) priority - A priority of the global session policy rule. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
(Optional) enabled - Whether to enable global session policy rule. Defaults to true.
(Optional) condition - A condition of the global session policy rule. condition block as defined below.
(Optional) excluded_users - A set of user IDs to exclude.
(Optional) network - A configuration for network condition. network block as defined below.
(Optional) excluded_zones - A set of zone IDs to exclude.
(Optional) included_zones - A set of zone IDs to include.
(Optional) authentication - A configuration for authentication condition. authentication block as defined below.
(Optional) entrypoint - The entry point for the authentication. Valid values are ANY, LDAP_INTERFACE, or RADIUS. Defaults to ANY.
(Optional) identity_provider - The identity provider for the authentication. Valid values are ANY, OKTA, or SPECIFIC_IDP. Defaults to ANY. WARNING: Use of identity_provider requires a feature flag to be enabled.
(Optional) allow_access - Whether to allow access. Defaults to true.
(Optional) primary_factor - The primary authentication factor. Only works for the Okta Identity Engine. Valid values are PASSWORD_IDP or PASSWORD_IDP_ANY_FACTOR. Defaults to PASSWORD_IDP_ANY_FACTOR.
PASSWORD_IDP: Users must always use a password to establish a session.
PASSWORD_IDP_ANY_FACTOR: Users can use any factor required by the app authentication policy to establish a session.
(Optional) mfa - A configuration for multi-factor authentication. mfa block as defined below.
(Optional) required - Whether to require multi-factor authentication. Defaults to false.
(Optional) prompt_mode - Indicates if the user should be challenged for a MFA based on the device being used, a factor session lifetime, or on every sign-in attempt. Valid values are ALWAYS, SESSION, or DEVICE. Defaults to ALWAYS.
(Optional) session_duration - Interval of time that must elapse before the user is challenged for MFA, if the value of prompt_mode is set to SESSION. Defaults to 15 minutes.
(Optional) remember_device_by_default - Whether Okta should automatically remember the device. Defaults to false.
(Optional) session - A configuration for session of the global session policy rule. session block as defined below.
(Optional) duration - Max minutes a session is active. Setting a maximum session lifetime reduces the risk of session cookie misuse or hijacking. The value of 0 means unlimited. Defaults to 720 (12 hours).
(Optional) idle_timeout - Max minutes a seesion can be idle. A global session will expire when the user is inactive for the specified amount of time, regardless of the maximum global session lifetime. Defaults to 120 (2 hours).
(Optional) persistent_cookie_enabled - Whether to enable persistent cookie. If enabled, when a user reopens their browser, and their session is still active, they won’t be asked to sign in again. Defaults to false.		 
list(object({
    name     = string
    priority = optional(number)
    enabled  = optional(bool, true)

    condition = optional(object({
      excluded_users = optional(set(string), [])
      network = optional(object({
        excluded_zones = optional(set(string), [])
        included_zones = optional(set(string), [])
      }), {})
      authentication = optional(object({
        entrypoint        = optional(string, "ANY")
        identity_provider = optional(string, "ANY")
      }), {})
    }), {})

    allow_access   = optional(bool, true)
    primary_factor = optional(string, "PASSWORD_IDP_ANY_FACTOR")
    mfa = optional(object({
      required                   = optional(bool, false)
      prompt_mode                = optional(string, "ALWAYS")
      session_duration           = optional(number, 15)
      remember_device_by_default = optional(bool, false)
    }), {})
    session = optional(object({
      duration                  = optional(number, 60 * 12)
      idle_timeout              = optional(number, 60 * 2)
      persistent_cookie_enabled = optional(bool, false)
    }), {})
  }))
 [] no

Outputs

Name Description
description The description of the Okta Global Session Policy.
enabled Whether to enable the Okta Global Session Policy.
groups The information for the assigned groups of the Okta Global Session Policy.
id The ID of the Okta Global Session Policy.
name The name of the Okta Global Session Policy.
priority The priority of the Okta Global Session Policy.
rules The configuration for rules of the Okta Global Session Policy.