terraform-provider-okta
terraform-provider-okta copied to clipboard
okta
Modules?
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Was wondering if there is any desire or intent for Okta to host modules for the provider I'm seeing some clever modules from some people in the community, having a place to share this work could be a collective good
I'm unsure of where I think these modules could be hosted, this Repo, the Terraform registry, or elsewhere ¯\(ツ)/¯
Not sure if Okta has a desire to developed and/or maintained modules for the provider But having a place where the community can submit theirs might be beneficial, i'd imagine most don't want to spend the time to upload them to the terraform registry
Speaking with the PM we are wondering if we should add some information about modules in our latest developer documentation https://developer.okta.com/docs/guides/terraform-landing-page/main/ I will look into this further.
@exitcode0 I'll be meeting some our customers along with @jefftaylor-okta next month. I'll see if anyone have feedback about modules, or perhaps can share modules they've written with us.
Also, @exitcode0 do you have any ideas for modules that would be reflective of common use cases of the Okta provider? We could save them in the examples directory. Or add them to the developer documentation that I mentioned https://developer.okta.com/docs/guides/terraform-landing-page/main/
I'd assert that a lot of people just starting out with this provider may not have used terraform before (I hadn't). With that in mind, I think a general overview of how modules can be used to enforce an org's convention(s) might be helpful to those starting out with the provider e.g we use a module to set custom attrs on service accounts as well as creating a group for each that denotes owners
One thing I'll be creating a module for when I have the time is delegating group membership admin of all groups assigned to a given app to the app's owners group (excluding the owners group itself)
one thing I've created ages ago that I should probably make into a module is a group that contains users with any admin permissions - this is useful for excluding Admins from IT Support custom roles It does this by listing users assigned to the Okta admin dashboard app, the membership only updates in the plan after the plan where the user was assigned permissions though 😢
@jefftaylor-okta coming up with a set of TF modules seems more of a developer relations effort, perhaps a section in our developer docs for TF https://developer.okta.com/docs/guides/terraform-landing-page/main/ If we start curating modules in the project we are presuming to know a best practice that will be common to many customers and that seems beyond the scope of team maintaining the Okta TF provider itself. @jefftaylor-okta thoughts?
@exitcode0 Thanks for the suggestion! I am glad someone has brought this up. If you look at our latest documentation, you will see us moving in this direction. I am also giving a talk at our upcoming conference, Oktane, where we will create a module from a real world scenario. This is also a test with the community to see how these samples would be received. Look for a public Gist in the next few days, and let me know what you think! I will also work with our developer advocacy team to see how we can expand on this idea with the feedback we receive. Also, if you have some top of mind scenarios, please respond and tag me! 🙂
Edit: Adding links to our new developer documentation: https://developer.okta.com/docs/guides/terraform-landing-page/main/
@exitcode0 Thanks for the suggestion! I am glad someone has brought this up. If you look at our latest documentation, you will see us moving in this direction. I am also giving a talk at our upcoming conference, Oktane, where we will create a module from a real world scenario. This is also a test with the community to see how these samples would be received. Look for a public Gist in the next few days, and let me know what you think! I will also work with our developer advocacy team to see how we can expand on this idea with the feedback we receive. Also, if you have some top of mind scenarios, please respond and tag me! 🙂
Edit: Adding links to our new developer documentation: https://developer.okta.com/docs/guides/terraform-landing-page/main/
I'm glad to see there is some interest in this space I think there is a lot of value in organisations using modules to enforce their conventions over certain resources, orgs can statically analyses their Terraform code with their tool of choice, but for some modules may be simpler I think that a Okta feature in this space could also be fantastic for organisations with large admin teams, e.g policy to require a PKCE
Some ideas for Terraform modules off-hand:
- Oauth Application(s) for Terraform itself
- Export Oauth Client Secrets to secret stores for consumption by internal teams to support frequent automated rotation
- Service Accounts
- Optionally Deny login via global session policy by default
- Ensure consistent custom attributes
- Create ownership groups
- Custom Admin Roles
- prior to permission conditions, you could use okta.groups.read to give limited read access to the user profile
- Resource Sets
- Okta Administrators group (the
BUILT_INdoesn't currently support listing users) - Group Rules
- Delegated group membership administrator (essentially implementing
apps:<ID>:groups:contained_resources
If you'd like to chat further I'm quite happy to do a customer interview after the dust from Oktane has settled 🙂
This issue is stale because it has been open 60 days with no activity. Comment or this will be closed in 5 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}