diff --git a/examples/okta_user/basic_with_credentials_updated_old_password.tf b/examples/okta_user/basic_with_credentials_updated_old_password.tf new file mode 100644 index 000000000..902b0b241 --- /dev/null +++ b/examples/okta_user/basic_with_credentials_updated_old_password.tf @@ -0,0 +1,10 @@ +resource "okta_user" "test" { + first_name = "TestAcc" + last_name = "Smith" + login = "testAcc-replace_with_uuid@example.com" + email = "testAcc-replace_with_uuid@example.com" + password = "Super#Secret@007" + old_password = "SuperSecret007" + recovery_question = "0011 & 1010" + recovery_answer = "0010" +} diff --git a/okta/resource_okta_user.go b/okta/resource_okta_user.go index ee09f19d5..bb0742ab0 100644 --- a/okta/resource_okta_user.go +++ b/okta/resource_okta_user.go @@ -599,23 +599,39 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface if passwordChange { oldPassword, newPassword := d.GetChange("password") - old, ok := d.GetOk("old_password") - if ok { + old, oldPasswordExist := d.GetOk("old_password") + if oldPasswordExist { oldPassword = old } - op := &okta.PasswordCredential{ - Value: oldPassword.(string), - } - np := &okta.PasswordCredential{ - Value: newPassword.(string), - } - npr := &okta.ChangePasswordRequest{ - OldPassword: op, - NewPassword: np, + if oldPasswordExist { + op := &okta.PasswordCredential{ + Value: oldPassword.(string), + } + np := &okta.PasswordCredential{ + Value: newPassword.(string), + } + npr := &okta.ChangePasswordRequest{ + OldPassword: op, + NewPassword: np, + } + _, _, err := client.User.ChangePassword(ctx, d.Id(), *npr, nil) + if err != nil { + return diag.Errorf("failed to update user's password: %v", err) + } } - _, _, err := client.User.ChangePassword(ctx, d.Id(), *npr, nil) - if err != nil { - return diag.Errorf("failed to update user's password: %v", err) + if !oldPasswordExist { + password, _ := newPassword.(string) + user := okta.User{ + Credentials: &okta.UserCredentials{ + Password: &okta.PasswordCredential{ + Value: password, + }, + }, + } + _, _, err := client.User.UpdateUser(ctx, d.Id(), user, nil) + if err != nil { + return diag.Errorf("failed to set user's password: %v", err) + } } } diff --git a/okta/resource_okta_user_test.go b/okta/resource_okta_user_test.go index 75b7d2c9f..a4976c1df 100644 --- a/okta/resource_okta_user_test.go +++ b/okta/resource_okta_user_test.go @@ -241,6 +241,7 @@ func TestAccOktaUser_updateCredentials(t *testing.T) { mgr := newFixtureManager(user) config := mgr.GetFixtures("basic_with_credentials.tf", ri, t) minimalConfigWithCredentials := mgr.GetFixtures("basic_with_credentials_updated.tf", ri, t) + minimalConfigWithCredentialsOldPassword := mgr.GetFixtures("basic_with_credentials_updated_old_password.tf", ri, t) resourceName := fmt.Sprintf("%s.test", user) email := fmt.Sprintf("testAcc-%d@example.com", ri) @@ -271,6 +272,18 @@ func TestAccOktaUser_updateCredentials(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "recovery_answer", "Asterisk"), ), }, + { + Config: minimalConfigWithCredentialsOldPassword, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "first_name", "TestAcc"), + resource.TestCheckResourceAttr(resourceName, "last_name", "Smith"), + resource.TestCheckResourceAttr(resourceName, "login", email), + resource.TestCheckResourceAttr(resourceName, "email", email), + resource.TestCheckResourceAttr(resourceName, "password", "Super#Secret@007"), + resource.TestCheckResourceAttr(resourceName, "old_password", "SuperSecret007"), + resource.TestCheckResourceAttr(resourceName, "recovery_answer", "0010"), + ), + }, }, }) }