Merge pull request #1222 from etsy/feat-access-token-config

feat: add `access_token` to the provider config
okta · Jul 29, 2022 · 3e0f43a · 3e0f43a
2 parents 5a613b1 + 825c3ad
commit 3e0f43a
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 20 deletions.
diff --git a/okta/config.go b/okta/config.go
@@ -35,6 +35,7 @@ type (
 		orgName          string
 		domain           string
 		httpProxy        string
+		accessToken      string
 		apiToken         string
 		clientID         string
 		privateKey       string
@@ -104,21 +105,34 @@ func (c *Config) loadAndValidate(ctx context.Context) error {
 
 	setters := []okta.ConfigSetter{
 		okta.WithOrgUrl(orgUrl),
-		okta.WithToken(c.apiToken),
-		okta.WithClientId(c.clientID),
-		okta.WithPrivateKey(c.privateKey),
-		okta.WithPrivateKeyId(c.privateKeyId),
-		okta.WithScopes(c.scopes),
 		okta.WithCache(false),
 		okta.WithHttpClientPtr(httpClient),
 		okta.WithRateLimitMaxBackOff(int64(c.maxWait)),
 		okta.WithRequestTimeout(int64(c.requestTimeout)),
 		okta.WithRateLimitMaxRetries(int32(c.retryCount)),
 		okta.WithUserAgentExtra("okta-terraform/3.31.0"),
 	}
-	if c.apiToken == "" {
-		setters = append(setters, okta.WithAuthorizationMode("PrivateKey"))
+
+	switch {
+	case c.accessToken != "":
+		setters = append(
+			setters,
+			okta.WithToken(c.accessToken), okta.WithAuthorizationMode("Bearer"),
+		)
+
+	case c.apiToken != "":
+		setters = append(
+			setters,
+			okta.WithToken(c.apiToken), okta.WithAuthorizationMode("SSWS"),
+		)
+
+	case c.privateKey != "":
+		setters = append(
+			setters,
+			okta.WithPrivateKey(c.privateKey), okta.WithPrivateKeyId(c.privateKeyId), okta.WithScopes(c.scopes), okta.WithAuthorizationMode("PrivateKey"),
+		)
 	}
+
 	if disableHTTPS {
 		setters = append(setters, okta.WithTestingDisableHttpsCheck(true))
 	}

diff --git a/okta/provider.go b/okta/provider.go
@@ -144,34 +144,41 @@ func Provider() *schema.Provider {
 				DefaultFunc: schema.EnvDefaultFunc("OKTA_ORG_NAME", nil),
 				Description: "The organization to manage in Okta.",
 			},
+			"access_token": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				DefaultFunc:   schema.EnvDefaultFunc("OKTA_ACCESS_TOKEN", nil),
+				Description:   "Bearer token granting privileges to Okta API.",
+				ConflictsWith: []string{"api_token", "client_id", "scopes", "private_key"},
+			},
 			"api_token": {
 				Type:          schema.TypeString,
 				Optional:      true,
 				DefaultFunc:   schema.EnvDefaultFunc("OKTA_API_TOKEN", nil),
 				Description:   "API Token granting privileges to Okta API.",
-				ConflictsWith: []string{"client_id", "scopes", "private_key"},
+				ConflictsWith: []string{"access_token", "client_id", "scopes", "private_key"},
 			},
 			"client_id": {
 				Type:          schema.TypeString,
 				Optional:      true,
 				DefaultFunc:   schema.EnvDefaultFunc("OKTA_API_CLIENT_ID", nil),
 				Description:   "API Token granting privileges to Okta API.",
-				ConflictsWith: []string{"api_token"},
+				ConflictsWith: []string{"access_token", "api_token"},
 			},
 			"scopes": {
 				Type:          schema.TypeSet,
 				Optional:      true,
 				Elem:          &schema.Schema{Type: schema.TypeString},
 				DefaultFunc:   envDefaultSetFunc("OKTA_API_SCOPES", nil),
 				Description:   "API Token granting privileges to Okta API.",
-				ConflictsWith: []string{"api_token"},
+				ConflictsWith: []string{"access_token", "api_token"},
 			},
 			"private_key": {
 				Optional:      true,
 				Type:          schema.TypeString,
 				DefaultFunc:   schema.EnvDefaultFunc("OKTA_API_PRIVATE_KEY", nil),
 				Description:   "API Token granting privileges to Okta API.",
-				ConflictsWith: []string{"api_token"},
+				ConflictsWith: []string{"access_token", "api_token"},
 			},
 			"private_key_id": {
 				Optional:      true,
@@ -422,6 +429,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 		orgName:        d.Get("org_name").(string),
 		domain:         d.Get("base_url").(string),
 		apiToken:       d.Get("api_token").(string),
+		accessToken:    d.Get("access_token").(string),
 		clientID:       d.Get("client_id").(string),
 		privateKey:     d.Get("private_key").(string),
 		privateKeyId:	d.Get("private_key_id").(string),

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -50,10 +50,10 @@ explained below:
 
 ### Environment variables
 
-You can provide your credentials via the `OKTA_ORG_NAME`, `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_API_CLIENT_ID`,
-`OKTA_API_SCOPES` and `OKTA_API_PRIVATE_KEY` environment variables, representing your Okta Organization Name,
-Okta Base URL (i.e. `"okta.com"` or `"oktapreview.com"`), Okta API Token, Okta Client ID, Okta API scopes
-and Okta API private key respectively.
+You can provide your credentials via the `OKTA_ORG_NAME`, `OKTA_BASE_URL`, `OKTA_ACCESS_TOKEN`, `OKTA_API_TOKEN`,
+`OKTA_API_CLIENT_ID`, `OKTA_API_SCOPES` and `OKTA_API_PRIVATE_KEY` environment variables, representing your Okta
+Organization Name, Okta Base URL (i.e. `"okta.com"` or `"oktapreview.com"`), Okta Access Token, Okta API Token,
+Okta Client ID, Okta API scopes and Okta API private key respectively.
 
 ```hcl
 provider "okta" {}
@@ -70,7 +70,7 @@ $ terraform plan
 
 ## Argument Reference
 
-Note: `api_token` is mutually exclusive of the set `client_id`, `private_key`, and `scopes`. `api_token` is utilized for Okta's [SSWS Authorization Scheme](https://developer.okta.com/docs/reference/core-okta-api/#authentication) and applies to org level operations. `client_id`, `private_key`, and `scopes` are for [OAuth 2.0 client](https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application) authentication for application operations.
+Note: `api_token` is mutually exclusive of the set `access_token`, `client_id`, `private_key`, and `scopes`. `api_token` is utilized for Okta's [SSWS Authorization Scheme](https://developer.okta.com/docs/reference/core-okta-api/#authentication) and applies to org level operations. `client_id`, `private_key`, and `scopes` are for [OAuth 2.0 client](https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application) authentication for application operations. `access_token` is used in situations where the caller has already performed the OAuth 2.0 client authentication process.
 
 In addition to [generic `provider` arguments](https://www.terraform.io/docs/configuration/providers.html)
 (e.g. `alias` and `version`), the following arguments are supported in the Okta `provider` block:
@@ -81,13 +81,15 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf
 
 - `http_proxy` - (Optional) This is a custom URL endpoint that can be used for unit testing or local caching proxies. Can also be sourced from the `OKTA_HTTP_PROXY` environment variable.
 
-- `api_token` - (Optional) This is the API token to interact with your Okta org. It can also be sourced from the `OKTA_API_TOKEN` environment variable. `api_token` conflicts with `client_id`, `scopes` and `private_key`.
+- `access_token` - (Optional) This is an OAuth 2.0 access token to interact with your Okta org. It can be sourced from the `OKTA_ACCESS_TOKEN` environment variable. `access_token` conflicts with `api_token`, `client_id`, `scopes` and `private_key`.
 
-- `client_id` - (Optional) This is the client ID for obtaining the API token. It can also be sourced from the `OKTA_API_CLIENT_ID` environment variable. `client_id` conflicts with `api_token`.
+- `api_token` - (Optional) This is the API token to interact with your Okta org. It can also be sourced from the `OKTA_API_TOKEN` environment variable. `api_token` conflicts with `access_token`, `client_id`, `scopes` and `private_key`.
 
-- `scopes` - (Optional) These are scopes for obtaining the API token in form of a comma separated list. It can also be sourced from the `OKTA_API_SCOPES` environment variable. `scopes` conflicts with `api_token`.
+- `client_id` - (Optional) This is the client ID for obtaining the API token. It can also be sourced from the `OKTA_API_CLIENT_ID` environment variable. `client_id` conflicts with `access_token` and `api_token`.
 
-- `private_key` - (Optional) This is the private key for obtaining the API token (can be represented by a filepath, or the key itself). It can also be sourced from the `OKTA_API_PRIVATE_KEY` environment variable. `private_key` conflicts with `api_token`.
+- `scopes` - (Optional) These are scopes for obtaining the API token in form of a comma separated list. It can also be sourced from the `OKTA_API_SCOPES` environment variable. `scopes` conflicts with `access_token` and `api_token`.
+
+- `private_key` - (Optional) This is the private key for obtaining the API token (can be represented by a filepath, or the key itself). It can also be sourced from the `OKTA_API_PRIVATE_KEY` environment variable. `private_key` conflicts with `access_token` and `api_token`.
 
 - `private_key_id` - (Optional) This is the private key ID (kid) for obtaining the API token. It can also be sourced from `OKTA_API_PRIVATE_KEY_ID` environmental variable. `private_key_id` conflicts with `api_token`.