diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 30e0c66..a5411c6 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -16,6 +16,10 @@ jobs: uses: actions/checkout@v2 - name: Setup Terraform uses: hashicorp/setup-terraform@v1 + - name: Convert PEM to JWK + run: | + gem install --user-install json-jwt + export TF_VAR_okta_jwk_n=`ruby scripts/jwk.rb` - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: @@ -33,6 +37,8 @@ jobs: run: terraform fmt -check -diff - name: Terraform Init id: init + env: + TF_CLI_ARGS: ${{ secrets.TF_CLI_ARGS }} run: terraform init - name: Terraform Plan id: plan diff --git a/main.tf b/main.tf index 194c9f2..d24b04c 100644 --- a/main.tf +++ b/main.tf @@ -5,13 +5,19 @@ terraform { region = "us-west-2" key = "indent/terraform.tfstate" } +} +# Configure the Okta Provider +provider "okta" { + org_name = var.okta_prefix + base_url = "okta.com" + api_token = var.okta_token } # Indent + Okta Integration -# Details: https://github.com/indentapis/integrations/tree/f494cef86094c3b40ac124e3159f5f3391c7e6c8/packages/stable/indent-integration-okta -# Last Change: https://github.com/indentapis/integrations/commit/f494cef86094c3b40ac124e3159f5f3391c7e6c8 +# Details: https://github.com/indentapis/integrations/tree/f0cea0e363f8950c7a217d186df6c377ed52e9d7/packages/stable/indent-integration-okta +# Last Change: https://github.com/indentapis/integrations/commit/f0cea0e363f8950c7a217d186df6c377ed52e9d7 module "idt-okta-webhook" { source = "git::https://github.com/indentapis/integrations//terraform/modules/indent_runtime_aws_lambda" @@ -19,15 +25,36 @@ module "idt-okta-webhook" { indent_webhook_secret = var.indent_webhook_secret artifact = { bucket = "indent-artifacts-us-west-2" - function_key = "webhooks/aws/lambda/okta-f494cef86094c3b40ac124e3159f5f3391c7e6c8-function.zip" - deps_key = "webhooks/aws/lambda/okta-f494cef86094c3b40ac124e3159f5f3391c7e6c8-deps.zip" + function_key = "webhooks/aws/lambda/okta-f0cea0e363f8950c7a217d186df6c377ed52e9d7-function.zip" + deps_key = "webhooks/aws/lambda/okta-f0cea0e363f8950c7a217d186df6c377ed52e9d7-deps.zip" } env = { - OKTA_DOMAIN = var.okta_domain - OKTA_TOKEN = var.okta_token + OKTA_DOMAIN = "${var.okta_prefix}.okta.com" + # OKTA_TOKEN = var.okta_token OKTA_SLACK_APP_ID = var.okta_slack_app_id - OKTA_CLIENT_ID = var.okta_client_id - OKTA_PRIVATE_KEY = var.okta_private_key + OKTA_CLIENT_ID = okta_app_oauth.indent.id + OKTA_PRIVATE_KEY = file("./private.pem") + } +} + +resource "okta_app_oauth" "indent" { + label = "indent_integration" + type = "service" + token_endpoint_auth_method = "private_key_jwt" + grant_types = ["client_credentials"] + response_types = ["token"] + pkce_required = true + + jwks { + kty = "RSA" + kid = "SIGNING_KEY" + e = "AQAB" + n = var.okta_jwk_n } } +resource "okta_app_oauth_api_scope" "indent-scopes" { + app_id = okta_app_oauth.indent.id + issuer = "https://${var.okta_prefix}.okta.com" + scopes = ["okta.groups.manage", "okta.users.manage"] +} diff --git a/scripts/jwk.rb b/scripts/jwk.rb new file mode 100644 index 0000000..86698b6 --- /dev/null +++ b/scripts/jwk.rb @@ -0,0 +1,6 @@ +require 'openssl' +require 'json/jwt' +rsa_private = OpenSSL::PKey::RSA.generate 2048 +File.write('./private.pem', rsa_private.to_pem) +rsa_private = OpenSSL::PKey::RSA.new rsa_private_string +puts rsa_private.public_key.to_jwk["n"] \ No newline at end of file diff --git a/variables.tf b/variables.tf index 502c8f7..6fe5f15 100644 --- a/variables.tf +++ b/variables.tf @@ -18,6 +18,25 @@ variable "okta_domain" { default = "" sensitive = true } +variable "okta_prefix" { + type = string + default = "" + sensitive = true +} + +variable "okta_private_key" { + type = string + default = "" + sensitive = true +} + +variable "okta_jwk_n" { + # just the `n` portion of the okta jwk; + # TF_VARS_okta_private_key="" scripts/jwk.rb + type = string + default = "" + sensitive = true +} variable "okta_token" { type = string