@pulumi/okta 6.6.0-alpha.1777359759 → 6.6.0

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@pulumi/okta",
-    "version": "6.6.0-alpha.1777359759",
-    "description": "A Pulumi package for creating and managing okta resources.. Based on terraform-provider-okta: version v6.9.0",
+    "version": "6.6.0",
+    "description": "A Pulumi package for creating and managing okta resources.. Based on terraform-provider-okta: version v6.10.0",
     "keywords": [
         "pulumi",
         "okta"
@@ -23,6 +23,6 @@
     "pulumi": {
         "resource": true,
         "name": "okta",
-        "version": "6.6.0-alpha.1777359759"
+        "version": "6.6.0"
     }
 }

package/policy/getRulePassword.d.ts

@@ -0,0 +1,146 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as outputs from "../types/output";
+/**
+ * Get a Password Policy Rule from Okta.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const password = okta.policy.getDefaultPolicy({
+ *     type: "PASSWORD",
+ * });
+ * const exampleRulePassword = new okta.policy.RulePassword("example", {
+ *     policyId: password.then(password => password.id),
+ *     name: "My Password Rule",
+ * });
+ * const example = pulumi.all([password, exampleRulePassword.id]).apply(([password, id]) => okta.policy.getRulePasswordOutput({
+ *     policyId: password.id,
+ *     id: id,
+ * }));
+ * ```
+ */
+export declare function getRulePassword(args: GetRulePasswordArgs, opts?: pulumi.InvokeOptions): Promise<GetRulePasswordResult>;
+/**
+ * A collection of arguments for invoking getRulePassword.
+ */
+export interface GetRulePasswordArgs {
+    /**
+     * The ID of this resource.
+     */
+    id: string;
+    /**
+     * Name of the rule.
+     */
+    name?: string;
+    /**
+     * ID of the Policy owning this rule.
+     */
+    policyId: string;
+}
+/**
+ * A collection of values returned by getRulePassword.
+ */
+export interface GetRulePasswordResult {
+    readonly groupsExcludeds: string[];
+    readonly groupsIncludeds: string[];
+    /**
+     * The ID of this resource.
+     */
+    readonly id: string;
+    /**
+     * Name of the rule.
+     */
+    readonly name: string;
+    /**
+     * Network selection mode: `ANYWHERE`, `ZONE`.
+     */
+    readonly networkConnection: string;
+    /**
+     * Network zones to exclude (when `networkConnection` = `ZONE`).
+     */
+    readonly networkExcludes: string[];
+    /**
+     * Network zones to include (when `networkConnection` = `ZONE`).
+     */
+    readonly networkIncludes: string[];
+    /**
+     * Whether a user is allowed to change their password: `ALLOW` or `DENY`.
+     */
+    readonly passwordChange: string;
+    /**
+     * Whether a user is allowed to reset their password: `ALLOW` or `DENY`.
+     */
+    readonly passwordReset: string;
+    /**
+     * Whether SSPR access is governed by an authentication policy or legacy behavior. Options: `LEGACY`, `AUTH_POLICY`.
+     */
+    readonly passwordResetAccessControl: string;
+    /**
+     * Self-service password reset (SSPR) requirement settings.
+     */
+    readonly passwordResetRequirements: outputs.policy.GetRulePasswordPasswordResetRequirement[];
+    /**
+     * Whether a user is allowed to unlock their account: `ALLOW` or `DENY`.
+     */
+    readonly passwordUnlock: string;
+    /**
+     * ID of the Policy owning this rule.
+     */
+    readonly policyId: string;
+    /**
+     * Priority of the rule.
+     */
+    readonly priority: number;
+    /**
+     * Status of the rule: `ACTIVE` or `INACTIVE`.
+     */
+    readonly status: string;
+    /**
+     * User IDs excluded from this rule.
+     */
+    readonly usersExcludeds: string[];
+    readonly usersIncludeds: string[];
+}
+/**
+ * Get a Password Policy Rule from Okta.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const password = okta.policy.getDefaultPolicy({
+ *     type: "PASSWORD",
+ * });
+ * const exampleRulePassword = new okta.policy.RulePassword("example", {
+ *     policyId: password.then(password => password.id),
+ *     name: "My Password Rule",
+ * });
+ * const example = pulumi.all([password, exampleRulePassword.id]).apply(([password, id]) => okta.policy.getRulePasswordOutput({
+ *     policyId: password.id,
+ *     id: id,
+ * }));
+ * ```
+ */
+export declare function getRulePasswordOutput(args: GetRulePasswordOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetRulePasswordResult>;
+/**
+ * A collection of arguments for invoking getRulePassword.
+ */
+export interface GetRulePasswordOutputArgs {
+    /**
+     * The ID of this resource.
+     */
+    id: pulumi.Input<string>;
+    /**
+     * Name of the rule.
+     */
+    name?: pulumi.Input<string>;
+    /**
+     * ID of the Policy owning this rule.
+     */
+    policyId: pulumi.Input<string>;
+}

package/policy/getRulePassword.js

@@ -0,0 +1,70 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRulePasswordOutput = exports.getRulePassword = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../utilities");
+/**
+ * Get a Password Policy Rule from Okta.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const password = okta.policy.getDefaultPolicy({
+ *     type: "PASSWORD",
+ * });
+ * const exampleRulePassword = new okta.policy.RulePassword("example", {
+ *     policyId: password.then(password => password.id),
+ *     name: "My Password Rule",
+ * });
+ * const example = pulumi.all([password, exampleRulePassword.id]).apply(([password, id]) => okta.policy.getRulePasswordOutput({
+ *     policyId: password.id,
+ *     id: id,
+ * }));
+ * ```
+ */
+function getRulePassword(args, opts) {
+    opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
+    return pulumi.runtime.invoke("okta:policy/getRulePassword:getRulePassword", {
+        "id": args.id,
+        "name": args.name,
+        "policyId": args.policyId,
+    }, opts);
+}
+exports.getRulePassword = getRulePassword;
+/**
+ * Get a Password Policy Rule from Okta.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const password = okta.policy.getDefaultPolicy({
+ *     type: "PASSWORD",
+ * });
+ * const exampleRulePassword = new okta.policy.RulePassword("example", {
+ *     policyId: password.then(password => password.id),
+ *     name: "My Password Rule",
+ * });
+ * const example = pulumi.all([password, exampleRulePassword.id]).apply(([password, id]) => okta.policy.getRulePasswordOutput({
+ *     policyId: password.id,
+ *     id: id,
+ * }));
+ * ```
+ */
+function getRulePasswordOutput(args, opts) {
+    opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
+    return pulumi.runtime.invokeOutput("okta:policy/getRulePassword:getRulePassword", {
+        "id": args.id,
+        "name": args.name,
+        "policyId": args.policyId,
+    }, opts);
+}
+exports.getRulePasswordOutput = getRulePasswordOutput;
+//# sourceMappingURL=getRulePassword.js.map

package/policy/getRulePassword.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getRulePassword.js","sourceRoot":"","sources":["../../policy/getRulePassword.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,eAAe,CAAC,IAAyB,EAAE,IAA2B;IAClF,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,6CAA6C,EAAE;QACxE,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,MAAM,EAAE,IAAI,CAAC,IAAI;QACjB,UAAU,EAAE,IAAI,CAAC,QAAQ;KAC5B,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAPD,0CAOC;AAoFD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,qBAAqB,CAAC,IAA+B,EAAE,IAAiC;IACpG,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,6CAA6C,EAAE;QAC9E,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,MAAM,EAAE,IAAI,CAAC,IAAI;QACjB,UAAU,EAAE,IAAI,CAAC,QAAQ;KAC5B,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAPD,sDAOC"}

package/policy/index.d.ts

@@ -19,6 +19,9 @@ export declare const getDefaultPolicyOutput: typeof import("./getDefaultPolicy")
 export { GetPolicyArgs, GetPolicyResult, GetPolicyOutputArgs } from "./getPolicy";
 export declare const getPolicy: typeof import("./getPolicy").getPolicy;
 export declare const getPolicyOutput: typeof import("./getPolicy").getPolicyOutput;
+export { GetRulePasswordArgs, GetRulePasswordResult, GetRulePasswordOutputArgs } from "./getRulePassword";
+export declare const getRulePassword: typeof import("./getRulePassword").getRulePassword;
+export declare const getRulePasswordOutput: typeof import("./getRulePassword").getRulePasswordOutput;
 export { MfaArgs, MfaState } from "./mfa";
 export type Mfa = import("./mfa").Mfa;
 export declare const Mfa: typeof import("./mfa").Mfa;

package/policy/index.js

@@ -2,7 +2,7 @@
 // *** WARNING: this file was generated by pulumi-language-nodejs. ***
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Signon = exports.RuleSignon = exports.RulePassword = exports.RuleMfa = exports.RuleIdpDiscovery = exports.Password = exports.Mfa = exports.getPolicyOutput = exports.getPolicy = exports.getDefaultPolicyOutput = exports.getDefaultPolicy = exports.DeviceAssuranceWindows = exports.DeviceAssuranceMacos = exports.DeviceAssuranceIos = exports.DeviceAssuranceChromeos = exports.DeviceAssuranceAndroid = void 0;
+exports.Signon = exports.RuleSignon = exports.RulePassword = exports.RuleMfa = exports.RuleIdpDiscovery = exports.Password = exports.Mfa = exports.getRulePasswordOutput = exports.getRulePassword = exports.getPolicyOutput = exports.getPolicy = exports.getDefaultPolicyOutput = exports.getDefaultPolicy = exports.DeviceAssuranceWindows = exports.DeviceAssuranceMacos = exports.DeviceAssuranceIos = exports.DeviceAssuranceChromeos = exports.DeviceAssuranceAndroid = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
 exports.DeviceAssuranceAndroid = null;
@@ -21,6 +21,9 @@ utilities.lazyLoad(exports, ["getDefaultPolicy", "getDefaultPolicyOutput"], () =
 exports.getPolicy = null;
 exports.getPolicyOutput = null;
 utilities.lazyLoad(exports, ["getPolicy", "getPolicyOutput"], () => require("./getPolicy"));
+exports.getRulePassword = null;
+exports.getRulePasswordOutput = null;
+utilities.lazyLoad(exports, ["getRulePassword", "getRulePasswordOutput"], () => require("./getRulePassword"));
 exports.Mfa = null;
 utilities.lazyLoad(exports, ["Mfa"], () => require("./mfa"));
 exports.Password = null;

package/policy/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../policy/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAK7B,QAAA,sBAAsB,GAAqE,IAAW,CAAC;AACpH,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,wBAAwB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC,CAAC;AAItF,QAAA,uBAAuB,GAAuE,IAAW,CAAC;AACvH,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,yBAAyB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC,CAAC;AAIxF,QAAA,kBAAkB,GAA6D,IAAW,CAAC;AACxG,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,oBAAoB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC,CAAC;AAI9E,QAAA,oBAAoB,GAAiE,IAAW,CAAC;AAC9G,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,sBAAsB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC,CAAC;AAIlF,QAAA,sBAAsB,GAAqE,IAAW,CAAC;AACpH,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,wBAAwB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC,CAAC;AAGtF,QAAA,gBAAgB,GAAyD,IAAW,CAAC;AACrF,QAAA,sBAAsB,GAA+D,IAAW,CAAC;AAC9G,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,kBAAkB,EAAC,wBAAwB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC;AAGnG,QAAA,SAAS,GAA2C,IAAW,CAAC;AAChE,QAAA,eAAe,GAAiD,IAAW,CAAC;AACzF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,WAAW,EAAC,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;AAI9E,QAAA,GAAG,GAA+B,IAAW,CAAC;AAC3D,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAIhD,QAAA,QAAQ,GAAyC,IAAW,CAAC;AAC1E,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAI1D,QAAA,gBAAgB,GAAyD,IAAW,CAAC;AAClG,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,kBAAkB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC;AAI1E,QAAA,OAAO,GAAuC,IAAW,CAAC;AACvE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;AAIxD,QAAA,YAAY,GAAiD,IAAW,CAAC;AACtF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;AAIlE,QAAA,UAAU,GAA6C,IAAW,CAAC;AAChF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;AAI9D,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAGnE,MAAM,OAAO,GAAG;IACZ,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,SAAS,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAAmB,EAAE;QACpE,QAAQ,IAAI,EAAE;YACV,KAAK,2DAA2D;gBAC5D,OAAO,IAAI,8BAAsB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpE,KAAK,6DAA6D;gBAC9D,OAAO,IAAI,+BAAuB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACrE,KAAK,mDAAmD;gBACpD,OAAO,IAAI,0BAAkB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAChE,KAAK,uDAAuD;gBACxD,OAAO,IAAI,4BAAoB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAClE,KAAK,2DAA2D;gBAC5D,OAAO,IAAI,8BAAsB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpE,KAAK,qBAAqB;gBACtB,OAAO,IAAI,WAAG,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACjD,KAAK,+BAA+B;gBAChC,OAAO,IAAI,gBAAQ,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACtD,KAAK,+CAA+C;gBAChD,OAAO,IAAI,wBAAgB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC9D,KAAK,6BAA6B;gBAC9B,OAAO,IAAI,eAAO,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACrD,KAAK,uCAAuC;gBACxC,OAAO,IAAI,oBAAY,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC1D,KAAK,mCAAmC;gBACpC,OAAO,IAAI,kBAAU,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACxD,KAAK,2BAA2B;gBAC5B,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD;gBACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACxD;IACL,CAAC;CACJ,CAAC;AACF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,+BAA+B,EAAE,OAAO,CAAC,CAAA;AACvF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,gCAAgC,EAAE,OAAO,CAAC,CAAA;AACxF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,2BAA2B,EAAE,OAAO,CAAC,CAAA;AACnF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,6BAA6B,EAAE,OAAO,CAAC,CAAA;AACrF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,+BAA+B,EAAE,OAAO,CAAC,CAAA;AACvF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,YAAY,EAAE,OAAO,CAAC,CAAA;AACpE,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,iBAAiB,EAAE,OAAO,CAAC,CAAA;AACzE,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,yBAAyB,EAAE,OAAO,CAAC,CAAA;AACjF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,EAAE,OAAO,CAAC,CAAA;AACxE,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,qBAAqB,EAAE,OAAO,CAAC,CAAA;AAC7E,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,mBAAmB,EAAE,OAAO,CAAC,CAAA;AAC3E,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,eAAe,EAAE,OAAO,CAAC,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../policy/index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAK7B,QAAA,sBAAsB,GAAqE,IAAW,CAAC;AACpH,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,wBAAwB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC,CAAC;AAItF,QAAA,uBAAuB,GAAuE,IAAW,CAAC;AACvH,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,yBAAyB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC,CAAC;AAIxF,QAAA,kBAAkB,GAA6D,IAAW,CAAC;AACxG,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,oBAAoB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC,CAAC;AAI9E,QAAA,oBAAoB,GAAiE,IAAW,CAAC;AAC9G,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,sBAAsB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC,CAAC;AAIlF,QAAA,sBAAsB,GAAqE,IAAW,CAAC;AACpH,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,wBAAwB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC,CAAC;AAGtF,QAAA,gBAAgB,GAAyD,IAAW,CAAC;AACrF,QAAA,sBAAsB,GAA+D,IAAW,CAAC;AAC9G,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,kBAAkB,EAAC,wBAAwB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC;AAGnG,QAAA,SAAS,GAA2C,IAAW,CAAC;AAChE,QAAA,eAAe,GAAiD,IAAW,CAAC;AACzF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,WAAW,EAAC,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;AAG9E,QAAA,eAAe,GAAuD,IAAW,CAAC;AAClF,QAAA,qBAAqB,GAA6D,IAAW,CAAC;AAC3G,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,iBAAiB,EAAC,uBAAuB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAIhG,QAAA,GAAG,GAA+B,IAAW,CAAC;AAC3D,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAIhD,QAAA,QAAQ,GAAyC,IAAW,CAAC;AAC1E,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAI1D,QAAA,gBAAgB,GAAyD,IAAW,CAAC;AAClG,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,kBAAkB,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC;AAI1E,QAAA,OAAO,GAAuC,IAAW,CAAC;AACvE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;AAIxD,QAAA,YAAY,GAAiD,IAAW,CAAC;AACtF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;AAIlE,QAAA,UAAU,GAA6C,IAAW,CAAC;AAChF,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;AAI9D,QAAA,MAAM,GAAqC,IAAW,CAAC;AACpE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAGnE,MAAM,OAAO,GAAG;IACZ,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,SAAS,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAAmB,EAAE;QACpE,QAAQ,IAAI,EAAE;YACV,KAAK,2DAA2D;gBAC5D,OAAO,IAAI,8BAAsB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpE,KAAK,6DAA6D;gBAC9D,OAAO,IAAI,+BAAuB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACrE,KAAK,mDAAmD;gBACpD,OAAO,IAAI,0BAAkB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAChE,KAAK,uDAAuD;gBACxD,OAAO,IAAI,4BAAoB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAClE,KAAK,2DAA2D;gBAC5D,OAAO,IAAI,8BAAsB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpE,KAAK,qBAAqB;gBACtB,OAAO,IAAI,WAAG,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACjD,KAAK,+BAA+B;gBAChC,OAAO,IAAI,gBAAQ,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACtD,KAAK,+CAA+C;gBAChD,OAAO,IAAI,wBAAgB,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC9D,KAAK,6BAA6B;gBAC9B,OAAO,IAAI,eAAO,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACrD,KAAK,uCAAuC;gBACxC,OAAO,IAAI,oBAAY,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YAC1D,KAAK,mCAAmC;gBACpC,OAAO,IAAI,kBAAU,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACxD,KAAK,2BAA2B;gBAC5B,OAAO,IAAI,cAAM,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;YACpD;gBACI,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACxD;IACL,CAAC;CACJ,CAAC;AACF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,+BAA+B,EAAE,OAAO,CAAC,CAAA;AACvF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,gCAAgC,EAAE,OAAO,CAAC,CAAA;AACxF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,2BAA2B,EAAE,OAAO,CAAC,CAAA;AACnF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,6BAA6B,EAAE,OAAO,CAAC,CAAA;AACrF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,+BAA+B,EAAE,OAAO,CAAC,CAAA;AACvF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,YAAY,EAAE,OAAO,CAAC,CAAA;AACpE,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,iBAAiB,EAAE,OAAO,CAAC,CAAA;AACzE,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,yBAAyB,EAAE,OAAO,CAAC,CAAA;AACjF,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,EAAE,OAAO,CAAC,CAAA;AACxE,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,qBAAqB,EAAE,OAAO,CAAC,CAAA;AAC7E,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,mBAAmB,EAAE,OAAO,CAAC,CAAA;AAC3E,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,EAAE,eAAe,EAAE,OAAO,CAAC,CAAA"}

package/policy/rulePassword.d.ts

@@ -1,7 +1,57 @@
 import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
 /**
  * Creates a Password Policy Rule. This resource allows you to create and configure a Password Policy Rule.
  *
+ * ## Example Usage
+ *
+ * ### AUTH_POLICY access control (delegates SSPR to authentication policy rules)
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const exampleAuthPolicy = new okta.policy.RulePassword("example_auth_policy", {
+ *     policyId: "<policy_id>",
+ *     name: "example_auth_policy_rule",
+ *     status: "ACTIVE",
+ *     passwordChange: "ALLOW",
+ *     passwordReset: "ALLOW",
+ *     passwordUnlock: "DENY",
+ *     passwordResetAccessControl: "AUTH_POLICY",
+ * });
+ * ```
+ *
+ * ### LEGACY access control with primary methods and step-up
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const exampleLegacy = new okta.policy.RulePassword("example_legacy", {
+ *     policyId: "<policy_id>",
+ *     name: "example_legacy_rule",
+ *     status: "ACTIVE",
+ *     passwordChange: "ALLOW",
+ *     passwordReset: "ALLOW",
+ *     passwordUnlock: "DENY",
+ *     passwordResetAccessControl: "LEGACY",
+ *     passwordResetRequirement: {
+ *         methodConstraints: [{
+ *             method: "otp",
+ *             allowedAuthenticators: ["google_otp"],
+ *         }],
+ *         primaryMethods: [
+ *             "otp",
+ *             "email",
+ *         ],
+ *         stepUpEnabled: true,
+ *         stepUpMethods: ["security_question"],
+ *     },
+ * });
+ * ```
+ *
  * ## Import
  *
  * ```sh
@@ -24,12 +74,20 @@ export declare class RulePassword extends pulumi.CustomResource {
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
      */
     static isInstance(obj: any): obj is RulePassword;
+    /**
+     * Set of Group IDs to exclude from this rule.
+     */
+    readonly groupsExcludeds: pulumi.Output<string[] | undefined>;
+    /**
+     * Set of Group IDs to include in this rule.
+     */
+    readonly groupsIncludeds: pulumi.Output<string[] | undefined>;
     /**
      * Policy Rule Name
      */
     readonly name: pulumi.Output<string>;
     /**
-     * Network selection mode: `ANYWHERE`, `ZONE`, `ON_NETWORK`, or `OFF_NETWORK`. Default: `ANYWHERE`
+     * Network selection mode: `ANYWHERE`, `ZONE`. Default: `ANYWHERE`
      */
     readonly networkConnection: pulumi.Output<string | undefined>;
     /**
@@ -48,6 +106,14 @@ export declare class RulePassword extends pulumi.CustomResource {
      * Allow or deny a user to reset their password: `ALLOW` or `DENY`. Default: `ALLOW`
      */
     readonly passwordReset: pulumi.Output<string | undefined>;
+    /**
+     * Determines whether the Self-Service Password Reset (SSPR) access is governed by an authentication policy or legacy behavior. Options: `LEGACY`, `AUTH_POLICY`.
+     */
+    readonly passwordResetAccessControl: pulumi.Output<string | undefined>;
+    /**
+     * Self-service password reset (SSPR) requirement settings. Use only when `passwordResetAccessControl = "LEGACY"`.
+     */
+    readonly passwordResetRequirement: pulumi.Output<outputs.policy.RulePasswordPasswordResetRequirement | undefined>;
     /**
      * Allow or deny a user to unlock. Default: `DENY`
      */
@@ -68,6 +134,10 @@ export declare class RulePassword extends pulumi.CustomResource {
      * Set of User IDs to Exclude
      */
     readonly usersExcludeds: pulumi.Output<string[] | undefined>;
+    /**
+     * Set of User IDs to include in this rule.
+     */
+    readonly usersIncludeds: pulumi.Output<string[] | undefined>;
     /**
      * Create a RulePassword resource with the given unique name, arguments, and options.
      *
@@ -81,12 +151,20 @@ export declare class RulePassword extends pulumi.CustomResource {
  * Input properties used for looking up and filtering RulePassword resources.
  */
 export interface RulePasswordState {
+    /**
+     * Set of Group IDs to exclude from this rule.
+     */
+    groupsExcludeds?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Set of Group IDs to include in this rule.
+     */
+    groupsIncludeds?: pulumi.Input<pulumi.Input<string>[]>;
     /**
      * Policy Rule Name
      */
     name?: pulumi.Input<string>;
     /**
-     * Network selection mode: `ANYWHERE`, `ZONE`, `ON_NETWORK`, or `OFF_NETWORK`. Default: `ANYWHERE`
+     * Network selection mode: `ANYWHERE`, `ZONE`. Default: `ANYWHERE`
      */
     networkConnection?: pulumi.Input<string>;
     /**
@@ -105,6 +183,14 @@ export interface RulePasswordState {
      * Allow or deny a user to reset their password: `ALLOW` or `DENY`. Default: `ALLOW`
      */
     passwordReset?: pulumi.Input<string>;
+    /**
+     * Determines whether the Self-Service Password Reset (SSPR) access is governed by an authentication policy or legacy behavior. Options: `LEGACY`, `AUTH_POLICY`.
+     */
+    passwordResetAccessControl?: pulumi.Input<string>;
+    /**
+     * Self-service password reset (SSPR) requirement settings. Use only when `passwordResetAccessControl = "LEGACY"`.
+     */
+    passwordResetRequirement?: pulumi.Input<inputs.policy.RulePasswordPasswordResetRequirement>;
     /**
      * Allow or deny a user to unlock. Default: `DENY`
      */
@@ -125,17 +211,29 @@ export interface RulePasswordState {
      * Set of User IDs to Exclude
      */
     usersExcludeds?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Set of User IDs to include in this rule.
+     */
+    usersIncludeds?: pulumi.Input<pulumi.Input<string>[]>;
 }
 /**
  * The set of arguments for constructing a RulePassword resource.
  */
 export interface RulePasswordArgs {
+    /**
+     * Set of Group IDs to exclude from this rule.
+     */
+    groupsExcludeds?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Set of Group IDs to include in this rule.
+     */
+    groupsIncludeds?: pulumi.Input<pulumi.Input<string>[]>;
     /**
      * Policy Rule Name
      */
     name?: pulumi.Input<string>;
     /**
-     * Network selection mode: `ANYWHERE`, `ZONE`, `ON_NETWORK`, or `OFF_NETWORK`. Default: `ANYWHERE`
+     * Network selection mode: `ANYWHERE`, `ZONE`. Default: `ANYWHERE`
      */
     networkConnection?: pulumi.Input<string>;
     /**
@@ -154,6 +252,14 @@ export interface RulePasswordArgs {
      * Allow or deny a user to reset their password: `ALLOW` or `DENY`. Default: `ALLOW`
      */
     passwordReset?: pulumi.Input<string>;
+    /**
+     * Determines whether the Self-Service Password Reset (SSPR) access is governed by an authentication policy or legacy behavior. Options: `LEGACY`, `AUTH_POLICY`.
+     */
+    passwordResetAccessControl?: pulumi.Input<string>;
+    /**
+     * Self-service password reset (SSPR) requirement settings. Use only when `passwordResetAccessControl = "LEGACY"`.
+     */
+    passwordResetRequirement?: pulumi.Input<inputs.policy.RulePasswordPasswordResetRequirement>;
     /**
      * Allow or deny a user to unlock. Default: `DENY`
      */
@@ -174,4 +280,8 @@ export interface RulePasswordArgs {
      * Set of User IDs to Exclude
      */
     usersExcludeds?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Set of User IDs to include in this rule.
+     */
+    usersIncludeds?: pulumi.Input<pulumi.Input<string>[]>;
 }

package/policy/rulePassword.js

@@ -8,6 +8,54 @@ const utilities = require("../utilities");
 /**
  * Creates a Password Policy Rule. This resource allows you to create and configure a Password Policy Rule.
  *
+ * ## Example Usage
+ *
+ * ### AUTH_POLICY access control (delegates SSPR to authentication policy rules)
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const exampleAuthPolicy = new okta.policy.RulePassword("example_auth_policy", {
+ *     policyId: "<policy_id>",
+ *     name: "example_auth_policy_rule",
+ *     status: "ACTIVE",
+ *     passwordChange: "ALLOW",
+ *     passwordReset: "ALLOW",
+ *     passwordUnlock: "DENY",
+ *     passwordResetAccessControl: "AUTH_POLICY",
+ * });
+ * ```
+ *
+ * ### LEGACY access control with primary methods and step-up
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const exampleLegacy = new okta.policy.RulePassword("example_legacy", {
+ *     policyId: "<policy_id>",
+ *     name: "example_legacy_rule",
+ *     status: "ACTIVE",
+ *     passwordChange: "ALLOW",
+ *     passwordReset: "ALLOW",
+ *     passwordUnlock: "DENY",
+ *     passwordResetAccessControl: "LEGACY",
+ *     passwordResetRequirement: {
+ *         methodConstraints: [{
+ *             method: "otp",
+ *             allowedAuthenticators: ["google_otp"],
+ *         }],
+ *         primaryMethods: [
+ *             "otp",
+ *             "email",
+ *         ],
+ *         stepUpEnabled: true,
+ *         stepUpMethods: ["security_question"],
+ *     },
+ * });
+ * ```
+ *
  * ## Import
  *
  * ```sh
@@ -42,31 +90,41 @@ class RulePassword extends pulumi.CustomResource {
         opts = opts || {};
         if (opts.id) {
             const state = argsOrState;
+            resourceInputs["groupsExcludeds"] = state?.groupsExcludeds;
+            resourceInputs["groupsIncludeds"] = state?.groupsIncludeds;
             resourceInputs["name"] = state?.name;
             resourceInputs["networkConnection"] = state?.networkConnection;
             resourceInputs["networkExcludes"] = state?.networkExcludes;
             resourceInputs["networkIncludes"] = state?.networkIncludes;
             resourceInputs["passwordChange"] = state?.passwordChange;
             resourceInputs["passwordReset"] = state?.passwordReset;
+            resourceInputs["passwordResetAccessControl"] = state?.passwordResetAccessControl;
+            resourceInputs["passwordResetRequirement"] = state?.passwordResetRequirement;
             resourceInputs["passwordUnlock"] = state?.passwordUnlock;
             resourceInputs["policyId"] = state?.policyId;
             resourceInputs["priority"] = state?.priority;
             resourceInputs["status"] = state?.status;
             resourceInputs["usersExcludeds"] = state?.usersExcludeds;
+            resourceInputs["usersIncludeds"] = state?.usersIncludeds;
         }
         else {
             const args = argsOrState;
+            resourceInputs["groupsExcludeds"] = args?.groupsExcludeds;
+            resourceInputs["groupsIncludeds"] = args?.groupsIncludeds;
             resourceInputs["name"] = args?.name;
             resourceInputs["networkConnection"] = args?.networkConnection;
             resourceInputs["networkExcludes"] = args?.networkExcludes;
             resourceInputs["networkIncludes"] = args?.networkIncludes;
             resourceInputs["passwordChange"] = args?.passwordChange;
             resourceInputs["passwordReset"] = args?.passwordReset;
+            resourceInputs["passwordResetAccessControl"] = args?.passwordResetAccessControl;
+            resourceInputs["passwordResetRequirement"] = args?.passwordResetRequirement;
             resourceInputs["passwordUnlock"] = args?.passwordUnlock;
             resourceInputs["policyId"] = args?.policyId;
             resourceInputs["priority"] = args?.priority;
             resourceInputs["status"] = args?.status;
             resourceInputs["usersExcludeds"] = args?.usersExcludeds;
+            resourceInputs["usersIncludeds"] = args?.usersIncludeds;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(RulePassword.__pulumiType, name, resourceInputs, opts);

package/policy/rulePassword.js.map

@@ -1 +1 @@
-{"version":3,"file":"rulePassword.js","sourceRoot":"","sources":["../../policy/rulePassword.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;GAQG;AACH,MAAa,YAAa,SAAQ,MAAM,CAAC,cAAc;IACnD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAAyB,EAAE,IAAmC;QACvH,OAAO,IAAI,YAAY,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACnE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,YAAY,CAAC,YAAY,CAAC;IAC7D,CAAC;IAuDD,YAAY,IAAY,EAAE,WAAkD,EAAE,IAAmC;QAC7G,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAA4C,CAAC;YAC3D,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC;YACrC,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,EAAE,iBAAiB,CAAC;YAC/D,cAAc,CAAC,iBAAiB,CAAC,GAAG,KAAK,EAAE,eAAe,CAAC;YAC3D,cAAc,CAAC,iBAAiB,CAAC,GAAG,KAAK,EAAE,eAAe,CAAC;YAC3D,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;YACzD,cAAc,CAAC,eAAe,CAAC,GAAG,KAAK,EAAE,aAAa,CAAC;YACvD,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;YACzD,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,EAAE,QAAQ,CAAC;YAC7C,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,EAAE,QAAQ,CAAC;YAC7C,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;YACzC,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;SAC5D;aAAM;YACH,MAAM,IAAI,GAAG,WAA2C,CAAC;YACzD,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,EAAE,iBAAiB,CAAC;YAC9D,cAAc,CAAC,iBAAiB,CAAC,GAAG,IAAI,EAAE,eAAe,CAAC;YAC1D,cAAc,CAAC,iBAAiB,CAAC,GAAG,IAAI,EAAE,eAAe,CAAC;YAC1D,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;YACxD,cAAc,CAAC,eAAe,CAAC,GAAG,IAAI,EAAE,aAAa,CAAC;YACtD,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;YACxD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;SAC3D;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACjE,CAAC;;AAjHL,oCAkHC;AApGG,gBAAgB;AACO,yBAAY,GAAG,uCAAuC,CAAC"}
+{"version":3,"file":"rulePassword.js","sourceRoot":"","sources":["../../policy/rulePassword.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,0CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwDG;AACH,MAAa,YAAa,SAAQ,MAAM,CAAC,cAAc;IACnD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAAyB,EAAE,IAAmC;QACvH,OAAO,IAAI,YAAY,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACnE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,YAAY,CAAC,YAAY,CAAC;IAC7D,CAAC;IA2ED,YAAY,IAAY,EAAE,WAAkD,EAAE,IAAmC;QAC7G,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAA4C,CAAC;YAC3D,cAAc,CAAC,iBAAiB,CAAC,GAAG,KAAK,EAAE,eAAe,CAAC;YAC3D,cAAc,CAAC,iBAAiB,CAAC,GAAG,KAAK,EAAE,eAAe,CAAC;YAC3D,cAAc,CAAC,MAAM,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC;YACrC,cAAc,CAAC,mBAAmB,CAAC,GAAG,KAAK,EAAE,iBAAiB,CAAC;YAC/D,cAAc,CAAC,iBAAiB,CAAC,GAAG,KAAK,EAAE,eAAe,CAAC;YAC3D,cAAc,CAAC,iBAAiB,CAAC,GAAG,KAAK,EAAE,eAAe,CAAC;YAC3D,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;YACzD,cAAc,CAAC,eAAe,CAAC,GAAG,KAAK,EAAE,aAAa,CAAC;YACvD,cAAc,CAAC,4BAA4B,CAAC,GAAG,KAAK,EAAE,0BAA0B,CAAC;YACjF,cAAc,CAAC,0BAA0B,CAAC,GAAG,KAAK,EAAE,wBAAwB,CAAC;YAC7E,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;YACzD,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,EAAE,QAAQ,CAAC;YAC7C,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,EAAE,QAAQ,CAAC;YAC7C,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;YACzC,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;YACzD,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;SAC5D;aAAM;YACH,MAAM,IAAI,GAAG,WAA2C,CAAC;YACzD,cAAc,CAAC,iBAAiB,CAAC,GAAG,IAAI,EAAE,eAAe,CAAC;YAC1D,cAAc,CAAC,iBAAiB,CAAC,GAAG,IAAI,EAAE,eAAe,CAAC;YAC1D,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,mBAAmB,CAAC,GAAG,IAAI,EAAE,iBAAiB,CAAC;YAC9D,cAAc,CAAC,iBAAiB,CAAC,GAAG,IAAI,EAAE,eAAe,CAAC;YAC1D,cAAc,CAAC,iBAAiB,CAAC,GAAG,IAAI,EAAE,eAAe,CAAC;YAC1D,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;YACxD,cAAc,CAAC,eAAe,CAAC,GAAG,IAAI,EAAE,aAAa,CAAC;YACtD,cAAc,CAAC,4BAA4B,CAAC,GAAG,IAAI,EAAE,0BAA0B,CAAC;YAChF,cAAc,CAAC,0BAA0B,CAAC,GAAG,IAAI,EAAE,wBAAwB,CAAC;YAC5E,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;YACxD,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC5C,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;YACxD,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC;SAC3D;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACjE,CAAC;;AA/IL,oCAgJC;AAlIG,gBAAgB;AACO,yBAAY,GAAG,uCAAuC,CAAC"}

package/types/input.d.ts

@@ -3933,7 +3933,7 @@ export declare namespace app {
     }
     interface SignonPolicyRulesRulePlatformInclude {
         /**
-         * Custom OS expression for advanced matching.
+         * Custom OS expression for advanced matching. Required by the API when osType is OTHER (leave empty or omit to match any OTHER OS). The API normalizes empty and wildcard values to null on read; the provider preserves "" in state.
          */
         osExpression?: pulumi.Input<string>;
         /**
@@ -4009,6 +4009,34 @@ export declare namespace policy {
         name?: pulumi.Input<string>;
         type: pulumi.Input<string>;
     }
+    interface RulePasswordPasswordResetRequirement {
+        /**
+         * Constraints on the values specified in the `primaryMethods` set. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint. The `otp` method requires a constraint.
+         */
+        methodConstraints?: pulumi.Input<pulumi.Input<inputs.policy.RulePasswordPasswordResetRequirementMethodConstraint>[]>;
+        /**
+         * Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator. Options: `otp`, `push`, `sms`, `email`, `voice`.
+         */
+        primaryMethods?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * Whether a secondary authenticator is required for password reset (`stepUp.required`). The following are three valid configurations: `required=false`, `required=true` with no methods to use any SSO authenticator, and `required=true` with `securityQuestion` as the method. Default: `false`.
+         */
+        stepUpEnabled?: pulumi.Input<boolean>;
+        /**
+         * Authenticator methods required for the secondary authentication step of password recovery. Specify only when `stepUpEnabled = true` and `securityQuestion` is permitted for the secondary authentication. Items value: `securityQuestion`.
+         */
+        stepUpMethods?: pulumi.Input<pulumi.Input<string>[]>;
+    }
+    interface RulePasswordPasswordResetRequirementMethodConstraint {
+        /**
+         * Keys of the authenticators allowed for this method (e.g. `googleOtp`).
+         */
+        allowedAuthenticators?: pulumi.Input<pulumi.Input<string>[]>;
+        /**
+         * The method to constrain (e.g. `otp`).
+         */
+        method: pulumi.Input<string>;
+    }
     interface RuleSignonFactorSequence {
         /**
          * Type of a Factor

package/types/output.d.ts

@@ -3010,9 +3010,9 @@ export declare namespace app {
     }
     interface SignonPolicyRulesRulePlatformInclude {
         /**
-         * Custom OS expression for advanced matching.
+         * Custom OS expression for advanced matching. Required by the API when osType is OTHER (leave empty or omit to match any OTHER OS). The API normalizes empty and wildcard values to null on read; the provider preserves "" in state.
          */
-        osExpression?: string;
+        osExpression: string;
         /**
          * OS type: ANY, IOS, ANDROID, WINDOWS, OSX, MACOS, CHROMEOS, or OTHER.
          */
@@ -3082,6 +3082,34 @@ export declare namespace inline {
     }
 }
 export declare namespace policy {
+    interface GetRulePasswordPasswordResetRequirement {
+        /**
+         * Constraints on the values specified in `primaryMethods`.
+         */
+        methodConstraints: outputs.policy.GetRulePasswordPasswordResetRequirementMethodConstraint[];
+        /**
+         * Authenticator methods allowed for the initial authentication step of password recovery.
+         */
+        primaryMethods: string[];
+        /**
+         * Whether a secondary authenticator is required for password reset.
+         */
+        stepUpEnabled: boolean;
+        /**
+         * Authenticator methods required for the secondary authentication step of password recovery. Items value: `securityQuestion`.
+         */
+        stepUpMethods: string[];
+    }
+    interface GetRulePasswordPasswordResetRequirementMethodConstraint {
+        /**
+         * Keys of the authenticators allowed for this method (e.g. `googleOtp`).
+         */
+        allowedAuthenticators: string[];
+        /**
+         * The method to constrain (e.g. `otp`).
+         */
+        method: string;
+    }
     interface RuleIdpDiscoveryAppExclude {
         id?: string;
         name?: string;
@@ -3124,6 +3152,34 @@ export declare namespace policy {
         name?: string;
         type: string;
     }
+    interface RulePasswordPasswordResetRequirement {
+        /**
+         * Constraints on the values specified in the `primaryMethods` set. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint. The `otp` method requires a constraint.
+         */
+        methodConstraints?: outputs.policy.RulePasswordPasswordResetRequirementMethodConstraint[];
+        /**
+         * Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator. Options: `otp`, `push`, `sms`, `email`, `voice`.
+         */
+        primaryMethods?: string[];
+        /**
+         * Whether a secondary authenticator is required for password reset (`stepUp.required`). The following are three valid configurations: `required=false`, `required=true` with no methods to use any SSO authenticator, and `required=true` with `securityQuestion` as the method. Default: `false`.
+         */
+        stepUpEnabled?: boolean;
+        /**
+         * Authenticator methods required for the secondary authentication step of password recovery. Specify only when `stepUpEnabled = true` and `securityQuestion` is permitted for the secondary authentication. Items value: `securityQuestion`.
+         */
+        stepUpMethods?: string[];
+    }
+    interface RulePasswordPasswordResetRequirementMethodConstraint {
+        /**
+         * Keys of the authenticators allowed for this method (e.g. `googleOtp`).
+         */
+        allowedAuthenticators?: string[];
+        /**
+         * The method to constrain (e.g. `otp`).
+         */
+        method: string;
+    }
     interface RuleSignonFactorSequence {
         /**
          * Type of a Factor