okta / terraform-provider-oktapam

Terraform Provider for Okta PAM
9 stars 4 forks source link

TF feedback/issue notes #77

Open OKirwinW opened 2 years ago

OKirwinW commented 2 years ago

Feedback submission:

For the most part the the TF provider is functional but there are a few gaps in attributes. Please include code blocks for examples on how to use the provider resources and data attributes.

The documentation on this resource needs adjustment.

General feedback is to add more polish to validation rules, especially for attributes that are being created by the resource, or referencing pre-existing items within the dashboard. Gateway Selectors are a great example for this.

waltergoulet-okta commented 2 years ago

Thank you for the feedback @OKirwinW. As there are multiple items in this submission I will leave this issue open and respond here in the comments for some of the issues. For the remaining issues, our developers will review this issue on a best effort basis and post questions if needed to clarify any of the feedback.

On this item

`gateway_selector (String) Assigns ASA Gateways with labels matching all selectors. At least one selector is required for traffic forwarding. You can only assign one, what do they mean by ‘at least’

Our API allows for multiple gateway labels to be associated with a Project as shown in current UI and API. Therefore this wording is correct.

not clear to how to couple oktapam_group , oktapam_project with the Okta provider for group If there’s a depends_on conditional I need to throw out if I’m creating an Okta Group and assigning to the Okta ASA Template as a push-group. (Likely question if they’re running a multi-provider Okta/OktaPAM Terraform run)

Note that the groups in ASA are locally created groups provisioned by SCIM from Okta to mirror Okta groups. This is by design because ASA does allow for local groups to be created in ASA that aren't mirrored from Okta. Putting a depends_on conditional in the OktaPAM Terraform provider to link it to the Okta provider that would not support the general case of allowing the OktaPAM provider to work with both Okta SCIM provisioned groups and locally created Okta groups.