WIP: Automate creation of Okta service app

.github/workflows/deploy.yaml

@@ -16,6 +16,10 @@ jobs:
         uses: actions/checkout@v2
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
+      - name: Convert PEM to JWK
+        run: |
+          gem install --user-install json-jwt
+          export TF_VAR_okta_jwk_n=`ruby scripts/jwk.rb`
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
@@ -33,6 +37,8 @@ jobs:
         run: terraform fmt -check -diff
       - name: Terraform Init
         id: init
+        env:
+          TF_CLI_ARGS: ${{ secrets.TF_CLI_ARGS }}
         run: terraform init
       - name: Terraform Plan
         id: plan

main.tf

@@ -5,29 +5,56 @@ terraform {
     region  = "us-west-2"
     key     = "indent/terraform.tfstate"
   }
+}
 
+# Configure the Okta Provider
+provider "okta" {
+  org_name  = var.okta_prefix
+  base_url  = "okta.com"
+  api_token = var.okta_token
 }
 
 # Indent + Okta Integration
 
-# Details: https://github.com/indentapis/integrations/tree/f494cef86094c3b40ac124e3159f5f3391c7e6c8/packages/stable/indent-integration-okta
-# Last Change: https://github.com/indentapis/integrations/commit/f494cef86094c3b40ac124e3159f5f3391c7e6c8
+# Details: https://github.com/indentapis/integrations/tree/f0cea0e363f8950c7a217d186df6c377ed52e9d7/packages/stable/indent-integration-okta
+# Last Change: https://github.com/indentapis/integrations/commit/f0cea0e363f8950c7a217d186df6c377ed52e9d7
 
 module "idt-okta-webhook" {
   source                = "git::https://github.com/indentapis/integrations//terraform/modules/indent_runtime_aws_lambda"
   name                  = "idt-okta-webhook"
   indent_webhook_secret = var.indent_webhook_secret
   artifact = {
     bucket       = "indent-artifacts-us-west-2"
-    function_key = "webhooks/aws/lambda/okta-f494cef86094c3b40ac124e3159f5f3391c7e6c8-function.zip"
-    deps_key     = "webhooks/aws/lambda/okta-f494cef86094c3b40ac124e3159f5f3391c7e6c8-deps.zip"
+    function_key = "webhooks/aws/lambda/okta-f0cea0e363f8950c7a217d186df6c377ed52e9d7-function.zip"
+    deps_key     = "webhooks/aws/lambda/okta-f0cea0e363f8950c7a217d186df6c377ed52e9d7-deps.zip"
   }
   env = {
-    OKTA_DOMAIN       = var.okta_domain
-    OKTA_TOKEN        = var.okta_token
+    OKTA_DOMAIN       = "${var.okta_prefix}.okta.com"
+    # OKTA_TOKEN        = var.okta_token
     OKTA_SLACK_APP_ID = var.okta_slack_app_id
-    OKTA_CLIENT_ID    = var.okta_client_id
-    OKTA_PRIVATE_KEY  = var.okta_private_key
+    OKTA_CLIENT_ID    = okta_app_oauth.indent.id
+    OKTA_PRIVATE_KEY  = file("./private.pem")
+  }
+}
+
+resource "okta_app_oauth" "indent" {
+  label                      = "indent_integration"
+  type                       = "service"
+  token_endpoint_auth_method = "private_key_jwt"
+  grant_types                = ["client_credentials"]
+  response_types             = ["token"]
+  pkce_required              = true
+
+  jwks {
+    kty = "RSA"
+    kid = "SIGNING_KEY"
+    e   = "AQAB"
+    n   = var.okta_jwk_n
   }
 }
 
+resource "okta_app_oauth_api_scope" "indent-scopes" {
+  app_id = okta_app_oauth.indent.id
+  issuer = "https://${var.okta_prefix}.okta.com"
+  scopes = ["okta.groups.manage", "okta.users.manage"]
+}

scripts/jwk.rb

@@ -0,0 +1,6 @@
+require 'openssl'
+require 'json/jwt'
+rsa_private = OpenSSL::PKey::RSA.generate 2048
+File.write('./private.pem', rsa_private.to_pem)
+rsa_private = OpenSSL::PKey::RSA.new rsa_private_string
+puts rsa_private.public_key.to_jwk["n"]

variables.tf

@@ -18,6 +18,25 @@ variable "okta_domain" {
   default   = ""
   sensitive = true
 }
+variable "okta_prefix" {
+  type      = string
+  default   = ""
+  sensitive = true
+}
+
+variable "okta_private_key" {
+  type      = string
+  default   = ""
+  sensitive = true
+}
+
+variable "okta_jwk_n" {
+  # just the `n` portion of the okta jwk;
+  # TF_VARS_okta_private_key="" scripts/jwk.rb
+  type      = string
+  default   = ""
+  sensitive = true
+}
 
 variable "okta_token" {
   type      = string