search

onelogin / terraform-provider-onelogin

GNU General Public License v3.0
27 stars 19 forks source link

onelogin_saml_apps missing fields available in the API #85

Open briggsy87 opened 1 year ago

briggsy87 commented 1 year ago

Hi, sorry if these have been asked/addressed somewhere else but I have spent some time searching through the issues and found nothing relevant.

I currently have some custom python written which I use to call the OneLogin API's to create my new application, which seems to work great (with the exception of setting "provisioning": { "enabled": True } in the payload.

I recently noticed that this Onelogin terraform provider existed and since I use terraform heavily for a number of other resources, I thought it was a no brainer to switch over to this. I have converted my working python, and while the majority of the app gets created with the correct parameters, I am missing a bunch of things that worked in the API.

A few of the fields I set in the API that aren't available in terraform, or simply do not work are:

Below is my code:

terraform {
  required_providers {
    onelogin = {
      source  = "onelogin/onelogin"
      version = "0.2.0"
    }
  }
}

provider "onelogin" {
  # Configuration options set as ENV vars
}

resource onelogin_saml_apps example_saml_app {
  visible = true
  connector_id = XXXXX
  description = "AWS - AccountAutomation"
  name = "AWS - AccountAutomation"
  notes = "AWS - AccountAutomation"
#   tab_id = "XXXXX" #"Computed attributes cannot be set"
#   policy_id = "XXXXX" #"Computed attributes cannot be set"

    parameters {
        param_key_name = "https://aws.amazon.com/SAML/Attributes/RoleSessionName"
        label = "RoleSessionName"
        provisioned_entitlements = false
        user_attribute_mappings = "email"
        values = null
        skip_if_blank = false
        attributes_transformations = "none"
        default_values = ""
        user_attribute_macros = null

        safe_entitlements_enabled = false
        include_in_saml_assertion = false
    }

      parameters {
        param_key_name = "https://aws.amazon.com/SAML/Attributes/Role"
        label = "Role"
        provisioned_entitlements = false
        user_attribute_mappings = "none"
        values = null
        skip_if_blank = false
        attributes_transformations = "amazon_roles"
        default_values = null
        user_attribute_macros = false

        include_in_saml_assertion = false
        safe_entitlements_enabled = false
    }

    parameters {
        param_key_name = "saml_username"
        label = "Amazon Username"
        provisioned_entitlements = false
        user_attribute_mappings = "email"
        values = null
        skip_if_blank = false
        attributes_transformations = "none"
        default_values = null
        user_attribute_macros = null

        include_in_saml_assertion = false
        safe_entitlements_enabled = false
    }

  configuration = {
    signature_algorithm = "SHA-256"
    idp_list = "arn:aws:iam::000000000000:saml-provider/SSO-OneLogin"
    certificate_id = XXXXX
  }

  provisioning = {
    enabled = "true"
  }
}

resource onelogin_app_role_attachments role_1 {
    app_id = onelogin_saml_apps.example_saml_app.id
    role_id = XXXXX
}

resource onelogin_app_role_attachments role_2 {
    app_id = onelogin_saml_apps.example_saml_app.id
    role_id = XXXXX

    depends_on = [
        onelogin_app_role_attachments.role_1 #Added due to race condition error when creating
  ]
}
Jmfwolf commented 1 year ago

We are in the process of standardizing our SDKs by using OpenAPI specifications. I have an OpenAPI generated terraform-provider-onelogin in prerelease if you would like t try it out. https://github.com/onelogin/terraform-provider-onelogin/tree/openapi

Jmfwolf commented 1 year ago

@briggsy87 Please check out the latest v0.4.1 release. It is a breaking change from the previous versions, the apps are one resource, but the configuration features as well as the tab_id, and policy_id have been added. Please let me know if there are any issues

briggsy87 commented 1 year ago

Thanks @Jmfwolf I have been poking around with the newest release. I do see that it was a complete re-write since you are now using OpenAPI.

My first issue was around auth, took me a little bit to figure out that I needed to use my clientid and client secret to create a bearer token external to this whole process. I do see that this was already brought up in #112. Looks like you are planning to tackle that issue, which is great. Currently, the best option seems like running some pre-terraform script which fetches that token and feeds it into terraform.

I do see that some of the missing fields I mentioned above are now there like tab_id and policy_id, but what I can't seem to figure out (and couldn't really find in the documentation) is how the new code would accept the parameter blocks that I was using above. This contains things like the user_attribute_mappings.

Sorry for the close and re-open, hit the wrong button.

chanceball commented 1 year ago

I am facing the same issue, I haven't been able to find the rewritten equivalents of the configuration and parameter blocks that were in previous versions of the package for the onelogin_apps resource. This rewrite is a massive undertaking, so I could just be missing its new location.

Jmfwolf commented 1 year ago

Hi @chanceball and @briggsy87,

Thanks for your patience. I'm currently in the process of implementing the new design using the newer Terraform Provider Plugin Framework instead of the older Terraform SDK. Specifically for SAML and OIDC apps, I've had to redesign the OneLogin Go SDK. The new Go SDK and the new Terraform Provider are my top priority, given my other responsibilities.

I'll keep you updated on my progress.