From cda29f8efb13d64433de1e29b94eec94028a1e40 Mon Sep 17 00:00:00 2001
From: Tien Nguyen <duytien.nguyen@okta.com>
Date: Fri, 17 Jan 2025 14:21:48 -0500
Subject: [PATCH] add support for enroll_authenticator_types for
 okta_policy_rule_profile_enrollment

Signed-off-by: Tien Nguyen <duytien.nguyen@okta.com>
---
 docs/resources/policy_rule_profile_enrollment.md      |  1 +
 .../okta_policy_rule_profile_enrollment/basic.tf      |  1 +
 okta/resource_okta_policy_rule_profile_enrollment.go  | 11 +++++++++++
 ...source_okta_policy_rule_profile_enrollment_test.go |  2 ++
 sdk/v2_profileEnrollmentPolicyRuleAction.go           |  1 +
 5 files changed, 16 insertions(+)

diff --git a/docs/resources/policy_rule_profile_enrollment.md b/docs/resources/policy_rule_profile_enrollment.md
index ce3021098..d2fbfc2a5 100644
--- a/docs/resources/policy_rule_profile_enrollment.md
+++ b/docs/resources/policy_rule_profile_enrollment.md
@@ -82,6 +82,7 @@ resource "okta_policy_rule_profile_enrollment" "example" {
 
 - `access` (String) Allow or deny access based on the rule conditions. Valid values are: `ALLOW`, `DENY`. Default: `ALLOW`.
 - `email_verification` (Boolean) Indicates whether email verification should occur before access is granted. Default: `true`.
+- `enroll_authenticator_types` (Set of String) Enrolls authenticator types
 - `inline_hook_id` (String) ID of a Registration Inline Hook
 - `profile_attributes` (Block List) A list of attributes to prompt the user during registration or progressive profiling. Where defined on the User schema, these attributes are persisted in the User profile. Non-schema attributes may also be added, which aren't persisted to the User's profile, but are included in requests to the registration inline hook. A maximum of 10 Profile properties is supported.
 	- 'label' - (Required) A display-friendly label for this property
diff --git a/examples/resources/okta_policy_rule_profile_enrollment/basic.tf b/examples/resources/okta_policy_rule_profile_enrollment/basic.tf
index 4efb45533..351b3ad32 100644
--- a/examples/resources/okta_policy_rule_profile_enrollment/basic.tf
+++ b/examples/resources/okta_policy_rule_profile_enrollment/basic.tf
@@ -12,6 +12,7 @@ resource "okta_policy_rule_profile_enrollment" "test" {
     label    = "Email"
     required = true
   }
+  enroll_authenticator_types = ["password"]
 }
 
 
diff --git a/okta/resource_okta_policy_rule_profile_enrollment.go b/okta/resource_okta_policy_rule_profile_enrollment.go
index 096b90c33..a0e44bdf8 100644
--- a/okta/resource_okta_policy_rule_profile_enrollment.go
+++ b/okta/resource_okta_policy_rule_profile_enrollment.go
@@ -106,6 +106,12 @@ enrollment policy, it allows the default policy rule to be updated.`,
 				Description: "Enabled or disabled progressive profiling action rule conditions: `ENABLED` or `DISABLED`. Default: `DISABLED`",
 				Default:     "DISABLED",
 			},
+			"enroll_authenticator_types": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Description: "Enrolls authenticator types",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
 		},
 	}
 }
@@ -181,6 +187,7 @@ func resourcePolicyProfileEnrollmentRuleRead(ctx context.Context, d *schema.Reso
 		}
 	}
 	_ = d.Set("profile_attributes", arr)
+	_ = d.Set("enroll_authenticator_types", convertStringSliceToSetNullable(rule.Actions.ProfileEnrollment.EnrollAuthenticatorTypes))
 	return nil
 }
 
@@ -273,6 +280,10 @@ func buildPolicyRuleProfileEnrollment(ctx context.Context, m interface{}, d *sch
 		ruleAction.UiSchemaId = usi.(string)
 	}
 
+	if eat, ok := d.GetOk("enroll_authenticator_types"); ok {
+		ruleAction.EnrollAuthenticatorTypes = convertInterfaceToStringSetNullable(eat)
+	}
+
 	updateRule.Actions = sdk.SdkPolicyRuleActions{
 		ProfileEnrollment: ruleAction,
 	}
diff --git a/okta/resource_okta_policy_rule_profile_enrollment_test.go b/okta/resource_okta_policy_rule_profile_enrollment_test.go
index 9a384a61a..43069943b 100644
--- a/okta/resource_okta_policy_rule_profile_enrollment_test.go
+++ b/okta/resource_okta_policy_rule_profile_enrollment_test.go
@@ -53,6 +53,8 @@ resource "okta_group" "test" {
 					resource.TestCheckResourceAttr(resourceName, "unknown_user_action", "REGISTER"),
 					resource.TestCheckResourceAttr(resourceName, "email_verification", "true"),
 					resource.TestCheckResourceAttr(resourceName, "access", "ALLOW"),
+					resource.TestCheckResourceAttr(resourceName, "enroll_authenticator_types.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "enroll_authenticator_types.0", "password"),
 					resource.TestCheckResourceAttr(resourceName, "profile_attributes.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "profile_attributes.0.name", "email"),
 				),
diff --git a/sdk/v2_profileEnrollmentPolicyRuleAction.go b/sdk/v2_profileEnrollmentPolicyRuleAction.go
index 23ae154eb..043537f6a 100644
--- a/sdk/v2_profileEnrollmentPolicyRuleAction.go
+++ b/sdk/v2_profileEnrollmentPolicyRuleAction.go
@@ -10,6 +10,7 @@ type ProfileEnrollmentPolicyRuleAction struct {
 	TargetGroupIds             []string                                          `json:"targetGroupIds,omitempty"`
 	UiSchemaId                 string                                            `json:"uiSchemaId,omitempty"`
 	UnknownUserAction          string                                            `json:"unknownUserAction,omitempty"`
+	EnrollAuthenticatorTypes   []string                                          `json:"enrollAuthenticatorTypes,omitempty"`
 }
 
 func NewProfileEnrollmentPolicyRuleAction() *ProfileEnrollmentPolicyRuleAction {