WIP: Automate creation of Okta service app#16
Conversation
feat(workflows): read TF_CLI_ARGS from secrets
sync(integration): aws-lambda-okta (indentapis#15)
| env = { | ||
| OKTA_DOMAIN = var.okta_domain | ||
| OKTA_TOKEN = var.okta_token | ||
| OKTA_DOMAIN = "${var.okta_prefix}.okta.com" |
There was a problem hiding this comment.
Convert this into a generated locals
| OKTA_CLIENT_ID = var.okta_client_id | ||
| OKTA_PRIVATE_KEY = var.okta_private_key | ||
| OKTA_CLIENT_ID = okta_app_oauth.indent.id | ||
| OKTA_PRIVATE_KEY = file("./private.pem") |
There was a problem hiding this comment.
this is generated by the jwk.rb script, which also sets a TF_VAR for the jwk n value. Clean this up -- make them both vars, probably (and ignore changes as well).
|
|
||
| resource "okta_app_oauth_api_scope" "indent-scopes" { | ||
| app_id = okta_app_oauth.indent.id | ||
| issuer = "https://${var.okta_prefix}.okta.com" |
There was a problem hiding this comment.
use generated local for this
| sensitive = true | ||
| } | ||
|
|
||
| variable "okta_jwk_n" { |
There was a problem hiding this comment.
did it this way because it was easier to get working, but should fully flesh this out as the full jwk, or even the full pub/priv key and read fields from it at a time.
| require 'openssl' | ||
| require 'json/jwt' | ||
| rsa_private = OpenSSL::PKey::RSA.generate 2048 | ||
| File.write('./private.pem', rsa_private.to_pem) |
There was a problem hiding this comment.
either all file output, or all env var.
| provider "okta" { | ||
| org_name = var.okta_prefix | ||
| base_url = "okta.com" | ||
| api_token = var.okta_token |
There was a problem hiding this comment.
this is the Number 1 thing here: we need to handle this gracefully: what happens when we delete the token?
Current thought is a runonce stage that sets up the okta_app_oauth; we can then read the necessary values from state in the bucket without having to refresh it (and run into API rejections from token revocation).
1 participant
ref: https://indentinc.atlassian.net/browse/ID-1803