okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
257 stars 208 forks source link

Add the data source `okta_app_signon_policy_rule` #2111

Open HeroesFR opened 1 week ago

HeroesFR commented 1 week ago

Community Note

Description

When creating a okta_app_signon_policy, it automatically create a default rule named "Catch-all Rule" which can only be managed via Terraform after an import. This import requires to retrieve the id of the rule and this cannot be done automatically via Terraform, we need manual action to manage it

The goal here is to reduce the manual work and automatize the process.

New or Affected Resource(s)

The goal here is to create the data source named okta_app_signon_policy_rule. With this data source, we could have the following automatic workflow

Potential Terraform Configuration

First we would create the policy :

resource "okta_app_signon_policy" "my_policy" {
  name        = "my_policy"
  description = "Test App Signon Policy"
}

Then declare this data source to retrieve the rules of the policy:

data "okta_app_signon_policy_rule" "my_policy_rules" {
  policy_id = okta_app_signon_policy.my_policy.id
}

The output of this data source could be a list of policy rules with the following structure:

[
  {
    rule_id = "rulfn05yzjcR8PB80417"
    name    = "Catch-all Rule"
  },
  {
    rule_id = "rodspwmyzjcR8PB46838"
    name    = "my_rule"
  }
  # ...
]

We now just need to filter and select only the rule with the name "Catch-all Rule" and update it

locals {
  catch_all_rule = lookup(data.okta_app_signon_policy_rule.my_policy_rules.rules, "Catch-all Rule", null)
}

resource "okta_app_signon_policy_rule" "catch_all_rule" {
  count = local.catch_all_rule != null ? 1 : 0

  policy_id = local.catch_all_rule.rule_id
  name      = "Catch-all Rule"

  # Define all the other attributes of the rule
  # ...

  # We need to be careful with the order of the resources to avoid a cyclic dependency
  depends_on = [data.okta_app_signon_policy_rule.my_policy_rules]
}

References

I've looked at the following PR having the same issue (I'm also currently facing this issue right now), and this could help more developers to use the Okta provider

The API to retrieve the rules of a policy already exists here

Thanks for reading.

duytiennguyen-okta commented 1 day ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-824509