• This repository has been archived on 15/Jun/2021
  • Stars
    star
    108
  • Rank 321,259 (Top 7 %)
  • Language
    Go
  • License
    Mozilla Public Li...
  • Created almost 7 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸŽ‰ Now an official Terraform provider! 🚚 We've moved to https://github.com/terraform-providers/terraform-provider-okta/

Terraform Provider Okta

πŸŽ‰ It's Official πŸŽ‰

We've moved! In an effort to provide better support for this project, Hashicorp and Okta have helped us make this an official provider. This repo will only be use for historical reference and will be read-only. Please submit new Issues and PRs at Hashicorp.

Maintainers

This provider plugin is maintained by the Terraform team at Articulate. To contribute see here. For more information on how to develop see here. Acceptance tests are no longer run by Travis due to the number of API calls it generates. You must post a passing ACC test screenshot with your PR.

Requirements

  • Terraform 0.12.x
  • Go 1.12 (to build the provider plugin)

Demo

For a more in depth holistic usage demo, see our demo repository here.

Usage

This plugin requires two inputs to run: the okta organization name and the okta api token. The okta base url is not required and will default to "okta.com" if left out.

You can specify the inputs in your tf plan:

provider "okta" {
  org_name  = <okta instance name, e.g. dev-XXXXXX>
  api_token = <okta instance api token with the Administrator role>
  base_url  = <okta base url, e.g. oktapreview.com>

  // Optional settings, https://en.wikipedia.org/wiki/Exponential_backoff
  max_retries      = <number of retries on api calls, default: 5>
  backoff          = <enable exponential backoff strategy for rate limits, default = true>
  min_wait_seconds = <min number of seconds to wait on backoff, default: 30>
  max_wait_seconds = <max number of seconds to wait on backoff, default: 300>
}

OR you can specify environment variables:

OKTA_ORG_NAME=<okta instance name, e.g. dev-XXXXXX>
OKTA_API_TOKEN=<okta instance api token with the Administrator role>
OKTA_BASE_URL=<okta base url, e.g. oktapreview.com>

Examples

As we build out resources we build concomitant acceptance tests that require use to create resource config that actually creates and modifies real resources. We decided to put these test fixtures to good use and provide them as examples here.

Building The Provider

Clone repository to: $GOPATH/src/github.com/articulate/terraform-provider-okta

$ mkdir -p $GOPATH/src/github.com/articulate; cd $GOPATH/src/github.com/articulate
$ git clone [email protected]:articulate/terraform-provider-okta

Enter the provider directory and build the provider. Ensure you have Go Modules enabled, depending on the version of Go you are using, you may have to flip it on with GO111MODULE=on.

$ cd $GOPATH/src/github.com/articulate/terraform-provider-okta
$ make build

Using the provider

Example terraform plan:

provider "okta" {
  org_name  = "dev-XXXXX"
  api_token = "XXXXXXXXXXXXXXXXXXXXXXXX"
  base_url  = "oktapreview.com"
}

resource "okta_user" "blah" {
  first_name = "blah"
  last_name  = "blergh"
  email      = "[email protected]"
  login      = "[email protected]"
}

Disclaimer

There are particular resources and settings that are not exposed on Okta's public API. Please submit an issue if you find one not listed here.

Org Settings

  • Org level customization settings.

Predefined SAML Applications

  • API Integrations on predefined SAML SSO applications. An example of this is the AWS SSO app, you can configure all of the app settings but you cannot configure anything under Provisioning -> API Integration. According to Okta adding API support for this is not likely.
  • Group profile settings on SAML applications. An example of this is the AWS SSO application group assignment which allows you to configure SAML user roles, for instance, which group gets access to which AWS environment. This is exposed on the GET endpoint of the Application Groups API but is read-only at the moment.

Common Errors

  • App User Error
The API returned an error: Deactivate application for user forbidden. Causes: errorSummary: The application cannot be unassigned from the user while their group memberships grant them access, The API returned an error: Deactivate application for user forbidden.. Causes: errorSummary: The application cannot be unassigned from the user while their group memberships grant them access.

This requires manual intervention. A user's access must be "converted" via the UI to group access. Okta does not expose an endpoint for this.

Developing the Provider

If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.

To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.

$ make build
...
$ $GOPATH/bin/terraform-provider-okta
...

In order to test the provider, you can simply run make test. The acceptance tests require an API token and a corresponding Okta org, if you use dotenv, you can cp .env.sample .env and add your Okta settings there, and prefix make test with dotenv.

$ make test

In order to run the full suite of Acceptance tests, run make testacc.

Note: Acceptance tests create real resources, and often cost money to run.

$ make testacc

Best Practices

We are striving to build a provider that is easily consumable and eventually can pass the HashiCorp community audit. In order to achieve this end we must ensure we are following HashiCorp's best practices. This can be derived either from their documentation on the matter, or by using a simple well written example as our template.

More Repositories

1

paperplane

Lighter-than-air node.js server framework
JavaScript
134
star
2

biplane

A configuration-based management and automation tool for Kong
Crystal
40
star
3

storyline-sdk

ActionScript
24
star
4

actions-markdownlint

[DEPRECATED] Lint Markdown files with GitHub Actions
Shell
22
star
5

aws-iam-ssh-auth

Auth users connecting via SSH with IAM
Shell
21
star
6

terraform-provider-ohdear

Terraform provider for the Oh Dear monitoring service: https://ohdear.app
Go
18
star
7

funky

Functional helper library
JavaScript
16
star
8

tugboat

[no longer maintained] Creates dynamic virtual hosts for any docker web container you launch.
Makefile
9
star
9

helmcharts

Smarty
8
star
10

react-with-responsive

πŸ“±β†”οΈ πŸ–₯️ Responsive Media Query Higher-Order Component (HOC) for React
JavaScript
7
star
11

authentic

Proper validation of JWT's against JWK's
TypeScript
7
star
12

ducks

Collection of redux helper functions
JavaScript
6
star
13

terraform-provider-okta-demos

A series of demonstrations to help you get familiar with configuring Okta with Terraform
HCL
6
star
14

terraform-provider-validation

Terraform provider to do more complex data/input validation.
Go
5
star
15

docker-node

Articulate base Docker images for Node.js
Dockerfile
5
star
16

docker-http-to-https

Simple nginx + config to redirect traffic to https
Dockerfile
5
star
17

gimme

Rest client that goes πŸ’₯
JavaScript
4
star
18

aws-eventbridge-action

Send an event to AWS EventBridge from your GitHub Actions workflow
TypeScript
4
star
19

docker-bootstrap

Load values from Consul and Vault as environment variables
Go
4
star
20

sox

Our super-special sockets stuff
JavaScript
4
star
21

dynapro

A thin promised-based wrapper around Amazon's AWS DynamoDB SDK
JavaScript
4
star
22

docker-kong-wait

Adds monit to the base kong image so it auto-restarts if cassandra hasn't started
Shell
4
star
23

talent_scout

Search multiple models using elasticsearch-rails
Ruby
3
star
24

react-svgicon

React component for rendering inline SVG icons
JavaScript
3
star
25

capistrano-fastly

Capistrano tasks for Fastly hosted CDN service
Ruby
3
star
26

jarbs

Lambda Tooling
Ruby
3
star
27

rise-mp3-recorder

Library for recording/encoding to MP3 in the browser
JavaScript
3
star
28

gateraid

JavaScript
2
star
29

paperplane-airbrake

An airbrake wrapper for paperplane.
JavaScript
2
star
30

squiss-jobs

SQS-backed job queue
JavaScript
2
star
31

spy

The sneakiest of spies
JavaScript
2
star
32

orson

JavaScript
2
star
33

dynamoo

JavaScript
2
star
34

asyncios

JavaScript
2
star
35

studio-sdk

2
star
36

authentic-go

Proper validation of JWTs against JWKs. Golang clone of https://github.com/articulate/authentic.
Go
2
star
37

docker-message-db

Docker image for Message DB
Dockerfile
2
star
38

koala

JavaScript
1
star
39

dependabot-local

Ruby
1
star
40

s3-gulp

JavaScript
1
star
41

redux-future2

Future middleware for redux
JavaScript
1
star
42

ice-bridge

Dropbox Archiver written in Go
Go
1
star
43

tinygen

Tiniest of tiny base64 uid generators
JavaScript
1
star
44

authoritah

Crystal
1
star
45

redux-functor

Functor middleware for redux
JavaScript
1
star
46

proxyl

AWS API Gateway Lambda Proxy service dev server
JavaScript
1
star
47

authoritah-js

JavaScript
1
star
48

dampen

Debounce any redux action-creator
JavaScript
1
star
49

hermes

Event-sourced autonomous service toolkit for Node.js
JavaScript
1
star
50

docker-articulate-node-images

Image-crushing base docker image, to make local builds of `images` faster
Dockerfile
1
star