From 391ed1d8c915d862297b509c4ce2dfd77e39f33b Mon Sep 17 00:00:00 2001 From: Eric Norris Date: Wed, 27 Jul 2022 14:30:25 -0400 Subject: [PATCH 1/2] feat: add `access_token` to the provider config This commit allows a user to specify an access token, instead of an API token or private key. --- okta/config.go | 27 +++++++++++++++++++++------ okta/provider.go | 16 ++++++++++++---- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/okta/config.go b/okta/config.go index 654e8048d..32285f0e0 100644 --- a/okta/config.go +++ b/okta/config.go @@ -35,6 +35,7 @@ type ( orgName string domain string httpProxy string + accessToken string apiToken string clientID string privateKey string @@ -103,10 +104,6 @@ func (c *Config) loadAndValidate(ctx context.Context) error { setters := []okta.ConfigSetter{ okta.WithOrgUrl(orgUrl), - okta.WithToken(c.apiToken), - okta.WithClientId(c.clientID), - okta.WithPrivateKey(c.privateKey), - okta.WithScopes(c.scopes), okta.WithCache(false), okta.WithHttpClientPtr(httpClient), okta.WithRateLimitMaxBackOff(int64(c.maxWait)), @@ -114,9 +111,27 @@ func (c *Config) loadAndValidate(ctx context.Context) error { okta.WithRateLimitMaxRetries(int32(c.retryCount)), okta.WithUserAgentExtra("okta-terraform/3.31.0"), } - if c.apiToken == "" { - setters = append(setters, okta.WithAuthorizationMode("PrivateKey")) + + switch { + case c.accessToken != "": + setters = append( + setters, + okta.WithToken(c.accessToken), okta.WithAuthorizationMode("Bearer"), + ) + + case c.apiToken != "": + setters = append( + setters, + okta.WithToken(c.apiToken), okta.WithAuthorizationMode("SSWS"), + ) + + case c.privateKey != "": + setters = append( + setters, + okta.WithPrivateKey(c.privateKey), okta.WithAuthorizationMode("PrivateKey"), okta.WithScopes(c.scopes), + ) } + if disableHTTPS { setters = append(setters, okta.WithTestingDisableHttpsCheck(true)) } diff --git a/okta/provider.go b/okta/provider.go index 5052bbdc0..a21e8c877 100644 --- a/okta/provider.go +++ b/okta/provider.go @@ -144,19 +144,26 @@ func Provider() *schema.Provider { DefaultFunc: schema.EnvDefaultFunc("OKTA_ORG_NAME", nil), Description: "The organization to manage in Okta.", }, + "access_token": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc("OKTA_ACCESS_TOKEN", nil), + Description: "Bearer token granting privileges to Okta API.", + ConflictsWith: []string{"api_token", "client_id", "scopes", "private_key"}, + }, "api_token": { Type: schema.TypeString, Optional: true, DefaultFunc: schema.EnvDefaultFunc("OKTA_API_TOKEN", nil), Description: "API Token granting privileges to Okta API.", - ConflictsWith: []string{"client_id", "scopes", "private_key"}, + ConflictsWith: []string{"access_token", "client_id", "scopes", "private_key"}, }, "client_id": { Type: schema.TypeString, Optional: true, DefaultFunc: schema.EnvDefaultFunc("OKTA_API_CLIENT_ID", nil), Description: "API Token granting privileges to Okta API.", - ConflictsWith: []string{"api_token"}, + ConflictsWith: []string{"access_token", "api_token"}, }, "scopes": { Type: schema.TypeSet, @@ -164,14 +171,14 @@ func Provider() *schema.Provider { Elem: &schema.Schema{Type: schema.TypeString}, DefaultFunc: envDefaultSetFunc("OKTA_API_SCOPES", nil), Description: "API Token granting privileges to Okta API.", - ConflictsWith: []string{"api_token"}, + ConflictsWith: []string{"access_token", "api_token"}, }, "private_key": { Optional: true, Type: schema.TypeString, DefaultFunc: schema.EnvDefaultFunc("OKTA_API_PRIVATE_KEY", nil), Description: "API Token granting privileges to Okta API.", - ConflictsWith: []string{"api_token"}, + ConflictsWith: []string{"access_token", "api_token"}, }, "base_url": { Type: schema.TypeString, @@ -415,6 +422,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} orgName: d.Get("org_name").(string), domain: d.Get("base_url").(string), apiToken: d.Get("api_token").(string), + accessToken: d.Get("access_token").(string), clientID: d.Get("client_id").(string), privateKey: d.Get("private_key").(string), scopes: convertInterfaceToStringSet(d.Get("scopes")), From d5646ead3eaf5c7c1771645711d5496307c79468 Mon Sep 17 00:00:00 2001 From: Eric Norris Date: Thu, 28 Jul 2022 11:37:08 -0400 Subject: [PATCH 2/2] docs: add `access_token` --- website/docs/index.html.markdown | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 2f4765260..4544fdbcd 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -50,10 +50,10 @@ explained below: ### Environment variables -You can provide your credentials via the `OKTA_ORG_NAME`, `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_API_CLIENT_ID`, -`OKTA_API_SCOPES` and `OKTA_API_PRIVATE_KEY` environment variables, representing your Okta Organization Name, -Okta Base URL (i.e. `"okta.com"` or `"oktapreview.com"`), Okta API Token, Okta Client ID, Okta API scopes -and Okta API private key respectively. +You can provide your credentials via the `OKTA_ORG_NAME`, `OKTA_BASE_URL`, `OKTA_ACCESS_TOKEN`, `OKTA_API_TOKEN`, +`OKTA_API_CLIENT_ID`, `OKTA_API_SCOPES` and `OKTA_API_PRIVATE_KEY` environment variables, representing your Okta +Organization Name, Okta Base URL (i.e. `"okta.com"` or `"oktapreview.com"`), Okta Access Token, Okta API Token, +Okta Client ID, Okta API scopes and Okta API private key respectively. ```hcl provider "okta" {} @@ -70,7 +70,7 @@ $ terraform plan ## Argument Reference -Note: `api_token` is mutually exclusive of the set `client_id`, `private_key`, and `scopes`. `api_token` is utilized for Okta's [SSWS Authorization Scheme](https://developer.okta.com/docs/reference/core-okta-api/#authentication) and applies to org level operations. `client_id`, `private_key`, and `scopes` are for [OAuth 2.0 client](https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application) authentication for application operations. +Note: `api_token` is mutually exclusive of the set `access_token`, `client_id`, `private_key`, and `scopes`. `api_token` is utilized for Okta's [SSWS Authorization Scheme](https://developer.okta.com/docs/reference/core-okta-api/#authentication) and applies to org level operations. `client_id`, `private_key`, and `scopes` are for [OAuth 2.0 client](https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application) authentication for application operations. `access_token` is used in situations where the caller has already performed the OAuth 2.0 client authentication process. In addition to [generic `provider` arguments](https://www.terraform.io/docs/configuration/providers.html) (e.g. `alias` and `version`), the following arguments are supported in the Okta `provider` block: @@ -81,13 +81,15 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf - `http_proxy` - (Optional) This is a custom URL endpoint that can be used for unit testing or local caching proxies. Can also be sourced from the `OKTA_HTTP_PROXY` environment variable. -- `api_token` - (Optional) This is the API token to interact with your Okta org. It can also be sourced from the `OKTA_API_TOKEN` environment variable. `api_token` conflicts with `client_id`, `scopes` and `private_key`. +- `access_token` - (Optional) This is an OAuth 2.0 access token to interact with your Okta org. It can be sourced from the `OKTA_ACCESS_TOKEN` environment variable. `access_token` conflicts with `api_token`, `client_id`, `scopes` and `private_key`. -- `client_id` - (Optional) This is the client ID for obtaining the API token. It can also be sourced from the `OKTA_API_CLIENT_ID` environment variable. `client_id` conflicts with `api_token`. +- `api_token` - (Optional) This is the API token to interact with your Okta org. It can also be sourced from the `OKTA_API_TOKEN` environment variable. `api_token` conflicts with `access_token`, `client_id`, `scopes` and `private_key`. -- `scopes` - (Optional) These are scopes for obtaining the API token in form of a comma separated list. It can also be sourced from the `OKTA_API_SCOPES` environment variable. `scopes` conflicts with `api_token`. +- `client_id` - (Optional) This is the client ID for obtaining the API token. It can also be sourced from the `OKTA_API_CLIENT_ID` environment variable. `client_id` conflicts with `access_token` and `api_token`. -- `private_key` - (Optional) This is the private key for obtaining the API token (can be represented by a filepath, or the key itself). It can also be sourced from the `OKTA_API_PRIVATE_KEY` environment variable. `private_key` conflicts with `api_token`. +- `scopes` - (Optional) These are scopes for obtaining the API token in form of a comma separated list. It can also be sourced from the `OKTA_API_SCOPES` environment variable. `scopes` conflicts with `access_token` and `api_token`. + +- `private_key` - (Optional) This is the private key for obtaining the API token (can be represented by a filepath, or the key itself). It can also be sourced from the `OKTA_API_PRIVATE_KEY` environment variable. `private_key` conflicts with `access_token` and `api_token`. - `backoff` - (Optional) Whether to use exponential back off strategy for rate limits, the default is `true`.