From 4141ce7f76d01b37d4b9c5e3c1dfc1e24f0062f3 Mon Sep 17 00:00:00 2001 From: Evan Tschuy Date: Fri, 14 Oct 2022 11:42:36 -0700 Subject: [PATCH 1/4] feat(workflows): read TF_CLI_ARGS from secrets --- .github/workflows/deploy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 30e0c66..0a85593 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -33,6 +33,8 @@ jobs: run: terraform fmt -check -diff - name: Terraform Init id: init + env: + TF_CLI_ARGS: ${{ secrets.TF_CLI_ARGS }} run: terraform init - name: Terraform Plan id: plan From 2ddd7008b2fbae2db12d034a798769f7a91007da Mon Sep 17 00:00:00 2001 From: Evan Tschuy Date: Fri, 28 Oct 2022 11:40:52 -0700 Subject: [PATCH 2/4] feat(okta): create okta service app with terraform --- .github/workflows/deploy.yaml | 4 ++++ main.tf | 41 +++++++++++++++++++++++++++++------ variables.tf | 19 ++++++++++++++++ 3 files changed, 57 insertions(+), 7 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 0a85593..c3a957c 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -36,6 +36,10 @@ jobs: env: TF_CLI_ARGS: ${{ secrets.TF_CLI_ARGS }} run: terraform init + - name: Convert PEM to JWK + run: | + gem install json-jwt + export TF_VAR_okta_jwk_n=`ruby scripts/jwk.rb` - name: Terraform Plan id: plan if: github.event_name == 'pull_request' diff --git a/main.tf b/main.tf index 194c9f2..644b03f 100644 --- a/main.tf +++ b/main.tf @@ -5,13 +5,19 @@ terraform { region = "us-west-2" key = "indent/terraform.tfstate" } +} +# Configure the Okta Provider +provider "okta" { + org_name = var.okta_prefix + base_url = "okta.com" + api_token = var.okta_token } # Indent + Okta Integration -# Details: https://github.com/indentapis/integrations/tree/f494cef86094c3b40ac124e3159f5f3391c7e6c8/packages/stable/indent-integration-okta -# Last Change: https://github.com/indentapis/integrations/commit/f494cef86094c3b40ac124e3159f5f3391c7e6c8 +# Details: https://github.com/indentapis/integrations/tree/f0cea0e363f8950c7a217d186df6c377ed52e9d7/packages/stable/indent-integration-okta +# Last Change: https://github.com/indentapis/integrations/commit/f0cea0e363f8950c7a217d186df6c377ed52e9d7 module "idt-okta-webhook" { source = "git::https://github.com/indentapis/integrations//terraform/modules/indent_runtime_aws_lambda" @@ -19,15 +25,36 @@ module "idt-okta-webhook" { indent_webhook_secret = var.indent_webhook_secret artifact = { bucket = "indent-artifacts-us-west-2" - function_key = "webhooks/aws/lambda/okta-f494cef86094c3b40ac124e3159f5f3391c7e6c8-function.zip" - deps_key = "webhooks/aws/lambda/okta-f494cef86094c3b40ac124e3159f5f3391c7e6c8-deps.zip" + function_key = "webhooks/aws/lambda/okta-f0cea0e363f8950c7a217d186df6c377ed52e9d7-function.zip" + deps_key = "webhooks/aws/lambda/okta-f0cea0e363f8950c7a217d186df6c377ed52e9d7-deps.zip" } env = { - OKTA_DOMAIN = var.okta_domain - OKTA_TOKEN = var.okta_token + OKTA_DOMAIN = "${var.okta_prefix}.okta.com" + # OKTA_TOKEN = var.okta_token OKTA_SLACK_APP_ID = var.okta_slack_app_id - OKTA_CLIENT_ID = var.okta_client_id + OKTA_CLIENT_ID = okta_app_oauth.indent.id OKTA_PRIVATE_KEY = var.okta_private_key } } +resource "okta_app_oauth" "indent" { + label = "indent_integration" + type = "service" + token_endpoint_auth_method = "private_key_jwt" + grant_types = ["client_credentials"] + response_types = ["token"] + pkce_required = true + + jwks { + kty = "RSA" + kid = "SIGNING_KEY" + e = "AQAB" + n = var.okta_jwk_n + } +} + +resource "okta_app_oauth_api_scope" "indent-scopes" { + app_id = okta_app_oauth.indent.id + issuer = "https://${var.okta_prefix}.okta.com" + scopes = ["okta.groups.manage", "okta.users.manage"] +} diff --git a/variables.tf b/variables.tf index 502c8f7..6fe5f15 100644 --- a/variables.tf +++ b/variables.tf @@ -18,6 +18,25 @@ variable "okta_domain" { default = "" sensitive = true } +variable "okta_prefix" { + type = string + default = "" + sensitive = true +} + +variable "okta_private_key" { + type = string + default = "" + sensitive = true +} + +variable "okta_jwk_n" { + # just the `n` portion of the okta jwk; + # TF_VARS_okta_private_key="" scripts/jwk.rb + type = string + default = "" + sensitive = true +} variable "okta_token" { type = string From c1c9dfd524a1baf3038f258b35dafaa6bd685df4 Mon Sep 17 00:00:00 2001 From: Evan Tschuy Date: Fri, 28 Oct 2022 11:44:00 -0700 Subject: [PATCH 3/4] debug workflow --- .github/workflows/deploy.yaml | 8 ++++---- main.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index c3a957c..a5411c6 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -16,6 +16,10 @@ jobs: uses: actions/checkout@v2 - name: Setup Terraform uses: hashicorp/setup-terraform@v1 + - name: Convert PEM to JWK + run: | + gem install --user-install json-jwt + export TF_VAR_okta_jwk_n=`ruby scripts/jwk.rb` - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: @@ -36,10 +40,6 @@ jobs: env: TF_CLI_ARGS: ${{ secrets.TF_CLI_ARGS }} run: terraform init - - name: Convert PEM to JWK - run: | - gem install json-jwt - export TF_VAR_okta_jwk_n=`ruby scripts/jwk.rb` - name: Terraform Plan id: plan if: github.event_name == 'pull_request' diff --git a/main.tf b/main.tf index 644b03f..d24b04c 100644 --- a/main.tf +++ b/main.tf @@ -33,7 +33,7 @@ module "idt-okta-webhook" { # OKTA_TOKEN = var.okta_token OKTA_SLACK_APP_ID = var.okta_slack_app_id OKTA_CLIENT_ID = okta_app_oauth.indent.id - OKTA_PRIVATE_KEY = var.okta_private_key + OKTA_PRIVATE_KEY = file("./private.pem") } } From 883bd780217c95795d7a3414dd3b612c6dbc1aa6 Mon Sep 17 00:00:00 2001 From: Evan Tschuy Date: Fri, 28 Oct 2022 11:48:57 -0700 Subject: [PATCH 4/4] add jwk generation script --- scripts/jwk.rb | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 scripts/jwk.rb diff --git a/scripts/jwk.rb b/scripts/jwk.rb new file mode 100644 index 0000000..86698b6 --- /dev/null +++ b/scripts/jwk.rb @@ -0,0 +1,6 @@ +require 'openssl' +require 'json/jwt' +rsa_private = OpenSSL::PKey::RSA.generate 2048 +File.write('./private.pem', rsa_private.to_pem) +rsa_private = OpenSSL::PKey::RSA.new rsa_private_string +puts rsa_private.public_key.to_jwk["n"] \ No newline at end of file