feat(specs): Add spec, tests and examples for panos_mfa_server_profile

[kklimonda-cl]

MFA Server Profile Resource

Terraform Resource Name

panos_mfa_server_profile

Resource Variants

• singular (default)

Supported Locations

• template-vsys - Located in a specific template, device and vsys
• template - A shared resource located within a specific template
• template-stack-vsys - Located in a specific template stack, device and vsys
• template-stack - Located in a specific template stack
• shared - Panorama shared object
• vsys - Located in a specific Virtual System

Parameters

Parameters with Codegen Overrides

Parameter	Type	Description	Overrides	Notes
mfa_config[].value	string	Missing description	sensitive: truehashing: solo	Configuration values are marked sensitive and use solo hashing for PAN-OS encrypted returns

Standard Parameters

Parameter	Type	Description	Required
name	string	Missing description	Yes (entry key)
mfa_cert_profile	string	Certificate profile for verifying the MFA Vendor	No
mfa_config	list(object)	Missing description	No
mfa_config[].name	string	Entry key	Yes (entry key)
mfa_vendor_type	string	Vendor and product type	No

Custom Validation

This resource includes custom validation logic (custom_validation: true) implemented in ValidateConfigCustom:

Vendor-Specific Configuration Validation

The custom validator enforces strict vendor-specific configuration requirements for four supported MFA vendors:

1. duo-security-v2 - Requires 5 configuration keys:
   - duo-api-host
   - duo-integration-key
   - duo-secret-key
   - duo-timeout
   - duo-baseuri
2. okta-adaptive-v1 - Requires 5 configuration keys:
   - okta-api-host
   - okta-baseuri
   - okta-token
   - okta-org
   - okta-timeout
3. ping-identity-v1 - Requires 5 configuration keys:
   - ping-api-host
   - ping-baseuri
   - ping-token
   - ping-org-alias
   - ping-timeout
4. rsa-securid-access-v1 - Requires 6 configuration keys:
   - rsa-api-host
   - rsa-baseuri
   - rsa-accesskey
   - rsa-accessid
   - rsa-assurancepolicyid
   - rsa-timeout

Validation Rules

The custom validator performs the following checks at plan time:

• Invalid vendor type: Returns an error if mfa_vendor_type is not one of the four supported vendors
• Missing required keys: Returns an error listing all missing configuration keys required by the selected vendor
• Invalid configuration keys: Returns an error if configuration keys from other vendors are provided
• Config without vendor type: Returns an error if mfa_config is provided without specifying mfa_vendor_type
• Certificate-only profiles: Allows profiles with only mfa_cert_profile set (both mfa_vendor_type and mfa_config can be omitted)

This validation is needed because when valid mfa-vendor-type is used, PAN-OS device will return some of those list values even if they were not sent, creating inconsistency between plan and final value. By creating this validation we are enforcing that all values must be set by the user. This does mean we do not allow any defaults to be set by PAN-OS device, but that probably can't work with the way schema is defined.