terraform-provider-okta icon indicating copy to clipboard operation
terraform-provider-okta copied to clipboard

Published 20 hours ago verified publisher icon okta

okta_app_oauth should expose secret_id to enable safe rotation

Open antonmos opened this issue 11 months ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When the secret is terraformed, we need to persist the secretId so that it can be used during the rotation.

In order to implement safe secret rotation, the rotation needs to call Deactivate a client secret and Delete a client secret secretId defined as Unique key of a Client Secret.

The work around is to use Generate new client secret API which adds a new secret and removes the old secret, however, since it removes the old secret immediately, this could lead to an outage if the storing of the new secret in the client's secret storage fails.

antonmos avatar Feb 28 '24 15:02 antonmos

Hey @antonmos,

You should be able to persist your secret to state using okta_app_oauth.omit_secret Does this work for your use-case?

There are some other related github issues about okta_app_oauth client secrets and how they should probably be split out into their own resource, but I don't think any work has been started on this as-yet

exitcode0 avatar Feb 28 '24 22:02 exitcode0

You should be able to persist your secret to state using okta_app_oauth.omit_secret

omit_secret - (Optional) This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.

Could you clarify how that would help? how would i get at the secertId?

antonmos avatar Feb 28 '24 23:02 antonmos

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-795706

duytiennguyen-okta avatar Aug 21 '24 18:08 duytiennguyen-okta