Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application Admin Roles assignment - not clear how to do in terraform #1662

Open
mcrobbj opened this issue Aug 3, 2023 · 6 comments
Open

Application Admin Roles assignment - not clear how to do in terraform #1662

mcrobbj opened this issue Aug 3, 2023 · 6 comments
Labels
triaged Triaged into internal Jira

Comments

@mcrobbj
Copy link

mcrobbj commented Aug 3, 2023
edited by duytiennguyen-okta
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Affected Resource(s)

  • okta_resource_set is used to define a resourceset
  • okta_admin_role_customis used to define permissions that we are giving access to
  • okta_admin_role_custom_assignments binds the resources and permissions to a Group which the app is in

However this leaves the actual binding to the App in the tab Admin roles with no entry, how do I manage the final step

Terraform Configuration Files

resource "okta_app_oauth" "MiddlewareApp" {
  label                      = "Middleware"
  type                       = "service"
.......
}

resource "okta_group" "Middleware" {
  name        = "Middleware Group"
  description = "Middleware Group"
}

resource "okta_app_group_assignment" "Middleware" {
  app_id   = okta_app_oauth.MiddlewareApp.id
  group_id = okta_group.Middleware.id
}

resource "okta_resource_set" "usersGroups" {
  label       = "UsersGroups"
  description = "Users and Groups"
  resources   = [
    format("%s/api/v1/users", format("%s%s%s%s", "https://", var.org_name, ".", var.base_url)),
    #format("%s/api/v1/apps", local.org_url),
    format("%s/api/v1/groups", format("%s%s%s%s", "https://", var.org_name, ".", var.base_url))
  ]
}

resource "okta_admin_role_custom" "userAdmin" {
  label       = "User Admin"
  description = "User Admin"
  permissions = ["okta.groups.manage", "okta.groups.members.manage", "okta.groups.read", "okta.users.appAssignment.manage", "okta.users.create", "okta.users.manage", "okta.users.read"]
}

resource "okta_admin_role_custom_assignments" "userAdminAssigment" {
  resource_set_id = okta_resource_set.usersGroups.id
  custom_role_id  = okta_admin_role_custom.userAdmin.id
  members         = [
    format("%s/api/v1/groups/%s", format("%s%s%s%s", "https://", var.org_name, ".", var.base_url) okta_group.Middleware.id)
  ]
}
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

It should bind the custom Admin role to the app, so there should be an entry under Adin roles tab in the App

Can this be done in the Admin UI?

Can this be done in the actual API call?

Actual Behavior

Everything is there except the binding to the App

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000
@duytiennguyen-okta
Copy link
Contributor

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-636386

@duytiennguyen-okta duytiennguyen-okta added the triaged Triaged into internal Jira label Aug 8, 2023
@tgoodsell-tempus
Copy link
Contributor

I found this API reference document, https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/RoleAssignment/, which I can start making a "SDK instance" of these functions until the Golang SDK officially supports them, then create actual resources in Terraform representing them.

However, since that API is in such an "unusual" place compared with the the other role assignment, custom role management, and the like; I'd like to ask @monde and @duytiennguyen-okta to weigh in on if you have any insider knowledge if that'll be the final "place" and "form" for that API to assign admin roles to Okta client apps?

@tgoodsell-tempus
Copy link
Contributor

Starting work on this here: #1734

@tgoodsell-tempus tgoodsell-tempus mentioned this issue Sep 21, 2023
Merged
@tgoodsell-tempus
Copy link
Contributor

FYI @monde @duytiennguyen-okta

My mentioned above for implementing a resource for this function is now dev complete and ready for a review / test on your end.

@monde monde mentioned this issue Oct 10, 2023
Merged
@flyweight
Copy link

I just tested assigning to a custom role via okta_admin_role_custom and resource set via okta_resource_set using the resource okta_app_oauth_role_assignment exposed by @tgoodsell-tempus, and the deployment/assignment went as expected. Thanks

@flyweight
Copy link

Possibly related #2108

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged Triaged into internal Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mcrobbj @flyweight @tgoodsell-tempus @duytiennguyen-okta