Added new password_inline_hook field to the okta_user resource (#849

)

okta/resource_okta_user.go

@@ -282,6 +282,13 @@ func resourceUser() *schema.Resource {
 				Sensitive:   true,
 				Description: "User Password",
 			},
+			"password_inline_hook": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				ValidateDiagFunc: elemInSlice([]string{"default"}),
+				Description:      "When specified, the Password Inline Hook is triggered to handle verification of the end user's password the first time the user tries to sign in",
+				ConflictsWith:    []string{"password", "password_hash"},
+			},
 			"old_password": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -370,6 +377,14 @@ func resourceUserCreate(ctx context.Context, d *schema.ResourceData, m interface
 			Hash:  buildPasswordCredentialHash(d.Get("password_hash")),
 		},
 	}
+	pih := d.Get("password_inline_hook").(string)
+	if pih != "" {
+		uc.Password = &okta.PasswordCredential{
+			Hook: &okta.PasswordCredentialHook{
+				Type: pih,
+			},
+		}
+	}
 	recoveryQuestion := d.Get("recovery_question").(string)
 	recoveryAnswer := d.Get("recovery_answer").(string)
 	if recoveryQuestion != "" {
@@ -468,6 +483,7 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 	userChange := hasProfileChange(d)
 	passwordChange := d.HasChange("password")
 	passwordHashChange := d.HasChange("password_hash")
+	passwordHookChange := d.HasChange("password_inline_hook")
 	recoveryQuestionChange := d.HasChange("recovery_question")
 	recoveryAnswerChange := d.HasChange("recovery_answer")
 
@@ -497,7 +513,7 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 		return diag.Errorf("Only the status of a DEPROVISIONED user can be updated, we detected other change")
 	}
 
-	if userChange || passwordHashChange {
+	if userChange || passwordHashChange || passwordHookChange {
 		profile := populateUserProfile(d)
 		userBody := okta.User{
 			Profile: profile,
@@ -509,6 +525,16 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 				},
 			}
 		}
+		pih := d.Get("password_inline_hook").(string)
+		if passwordHookChange && pih != "" {
+			userBody.Credentials = &okta.UserCredentials{
+				Password: &okta.PasswordCredential{
+					Hook: &okta.PasswordCredentialHook{
+						Type: pih,
+					},
+				},
+			}
+		}
 		_, _, err := client.User.UpdateUser(ctx, d.Id(), userBody, nil)
 		if err != nil {
 			return diag.Errorf("failed to update user: %v", err)

website/docs/r/user.html.markdown

@@ -14,6 +14,8 @@ This resource allows you to create and configure an Okta User.
 
 ## Example Usage
 
+Full profile:
+
 ```hcl
 resource "okta_user" "example" {
   first_name         = "John"
@@ -50,6 +52,18 @@ resource "okta_user" "example" {
 }
 ```
 
+With Password Inline Hook:
+
+```hcl
+resource "okta_user" "test2" {
+  first_name           = "John"
+  last_name            = "Smith"
+  login                = "example@example.com"
+  email                = "example@example.com"
+  password_inline_hook = "default"
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -131,6 +145,11 @@ The following arguments are supported:
 outside the provider. After successful password change this field should be removed and `password` field should be used 
 for further changes.
 
+- `password_inline_hook` (Optional) Specifies that a Password Import Inline Hook should be triggered to handle verification 
+of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly 
+from some other store. When updating a user with a password hook the user must be in the `STAGED` status. The `password`
+field should not be specified when using Password Import Inline Hook. 
+
 - `recovery_question` - (Optional) User password recovery question.
 
 - `recovery_answer` - (Optional) User password recovery answer.