Unsupport path when enabling TOTP MFA method

Receiving the following error when trying to enable TOTP MFA for Vault.

Error: error writing to Vault at sys/mfa/method/totp/gfs_mfa, err=Error making API request.
14:26:22  URL: PUT https://<VAULT URL>/v1/sys/mfa/method/totp/gfs_mfa
14:26:22  Code: 404. Errors:
14:26:22  * 1 error occurred:
14:26:22  	* unsupported path
14:26:22    on mfa_totp.tf line 1, in resource "vault_mfa_totp" "mfa_totp":
14:26:22     1: resource "vault_mfa_totp" "mfa_totp" {

We are using Vault open source and are currently on version 1.12.2 (although I’ve received the same error on 1.13.2).
We are using Terraform, so we’re trying to apply this change with the vault_mfa_totp resource.
I understand from this post (sys/mfa/method/okta/my_okta --- unsupported path · Issue #7671 · hashicorp/vault · GitHub) that the sys/mfa endpoint is only available in Vault Enterprise.

How are we to change the endpoint to apply this feature in Vault using Terraform?

Thank you


I was able to get the TOTP MFA method configured in Vault open source using the Terraform vault_generic_endpoint via the code below since this resource supports a path argument.

resource "vault_generic_endpoint" "totp" {
  path           = "/identity/mfa/method/totp"
  disable_read   = true
  disable_delete = true
  data_json      = <<EOT

While this works, this should be doable using vault_mfa_totp.

That resource is specific to a kind of MFA that is only present in Vault Enterprise.

Configuring this shouldn’t be possible using that resource, but there ought to be another resource to do it, and the documentation should be made better so it is less confusing.

I believe there have been no less than three different implementations of MFA in Vault over the years, some Enterprise-only, some not, so there are lots of docs out there which can lead people in false directions.

UPDATE: The vault_identity_mfa_totp resource already exists: Terraform Registry

Thank you @maxb

I just found this resource this morning and already have it working.