Adds support to create users with credentials

examples/okta_user/basic_with_credentials.tf

@@ -0,0 +1,9 @@
+resource "okta_user" "test" {
+  first_name        = "TestAcc"
+  last_name         = "Smith"
+  login             = "test-acc-replace_with_uuid@example.com"
+  email             = "test-acc-replace_with_uuid@example.com"
+  password          = "Abcd1234"
+  recovery_question = "What is the answer to life, the universe, and everything?"
+  recovery_answer   = "Forty Two"
+}

okta/resource_okta_user.go

@@ -47,6 +47,9 @@ var profileKeys = []string{
 	"title",
 	"user_type",
 	"zip_code",
+	"password",
+	"recovery_question",
+	"recovery_answer",
 }
 
 func resourceUser() *schema.Resource {
@@ -265,6 +268,21 @@ func resourceUser() *schema.Resource {
 				Optional:    true,
 				Description: "User zipcode or postal code",
 			},
+			"password": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "User Password",
+			},
+			"recovery_question": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "User Password Recovery Question",
+			},
+			"recovery_answer": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "User Password Recovery Answer",
+			},
 		},
 	}
 }
@@ -291,7 +309,38 @@ func resourceUserCreate(d *schema.ResourceData, m interface{}) error {
 		qp = query.NewQueryParams(query.WithActivate(false))
 	}
 
-	userBody := okta.User{Profile: profile}
+	password := d.Get("password").(string)
+	recoveryQuestion := d.Get("recovery_question").(string)
+	recoveryAnswer := d.Get("recovery_answer").(string)
+
+	if recoveryQuestion != "" && len(recoveryAnswer) < 4 {
+		return fmt.Errorf("[ERROR] Okta does not allow security answers with less than 4 characters")
+	}
+
+	p := &okta.PasswordCredential{
+		Value: password,
+	}
+
+	uc := &okta.UserCredentials{
+		Password: p,
+	}
+
+	if recoveryQuestion != "" && len(recoveryAnswer) >= 4 {
+		rq := &okta.RecoveryQuestionCredential{
+			Question: recoveryQuestion,
+			Answer:   recoveryAnswer,
+		}
+
+		uc = &okta.UserCredentials{
+			Password:         p,
+			RecoveryQuestion: rq,
+		}
+	}
+
+	userBody := okta.User{
+		Profile:     profile,
+		Credentials: uc,
+	}
 	user, _, err := client.User.CreateUser(userBody, qp)
 
 	if err != nil {

okta/resource_okta_user_test.go

@@ -169,6 +169,7 @@ func TestAccOktaUser_updateAllAttributes(t *testing.T) {
 	config := mgr.GetFixtures("staged.tf", ri, t)
 	updatedConfig := mgr.GetFixtures("all_attributes.tf", ri, t)
 	minimalConfig := mgr.GetFixtures("basic.tf", ri, t)
+	minimalConfigWithCredentials := mgr.GetFixtures("basic_with_credentials.tf", ri, t)
 	resourceName := fmt.Sprintf("%s.test", oktaUser)
 	email := fmt.Sprintf("test-acc-%d@example.com", ri)
 
@@ -233,6 +234,17 @@ func TestAccOktaUser_updateAllAttributes(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "email", email),
 				),
 			},
+			{
+				Config: minimalConfigWithCredentials,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "first_name", "TestAcc"),
+					resource.TestCheckResourceAttr(resourceName, "last_name", "Smith"),
+					resource.TestCheckResourceAttr(resourceName, "login", email),
+					resource.TestCheckResourceAttr(resourceName, "email", email),
+					resource.TestCheckResourceAttr(resourceName, "password", "Abcd1234"),
+					resource.TestCheckResourceAttr(resourceName, "recovery_answer", "Forty Two"),
+				),
+			},
 		},
 	})
 }

website/docs/r/user.html.markdown

@@ -99,6 +99,12 @@ The following arguments are supported:
 
 * `zip_code` - (Optional) User profile property.
 
+* `password` - (Optional) User password.
+
+* `recovery_question` - (Optional) User password recovery question.
+
+* `recovery_answer` - (Optional) User password recovery answer.
+
 ## Attributes Reference
 
 * `index` - (Optional) ID of the User schema property.