Feature Request: okta_apps data source

[sgal-dm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Create an okta_apps data source to retrieve multiple apps, with no error if there is no result, similar to the okta_groups data source.

I've run into a need for this twice in the last week:

1. Building a resource_set that contains multiple similar applications.
2. This one is admittedly much more obscure, but it would create a simpler workaround for the circular reference required when integrating two tenants, ie for SAML SSO.
   a. That integration requires a circular reference between an okta_saml_app resource and an okta_saml_idp resource because each resource needs to reference metadata attributes from the other to set the correct IdP and SP metadata.
   b. The existing okta_app/okta_saml_idp data sources can't be used to decouple these resources, because the data sources throw an error if no result is found, and making it dependent on the resource doesn't decouple them, resulting in the same Terraform circular reference error.
   c. Having the ability to search for an app and not receive an error if it does not exist (similar to okta_groups) would remove the need to change a variable between applies one and two or to rely on another resource type as the condition for replacing the temporary values with the correct metadata.

New or Affected Resource(s)

• data.okta_apps

Potential Terraform Configuration

Example scenario 1:

# New Resource
data "okta_apps" "some_apps" {
  label_prefix = "someapp"
}

resource "okta_resource_set" "some_apps" {
  label       = "Some Apps"
  resources   = [for app in data.some_apps.applications : "https://acme.okta.com/api/v1/apps/${app.id}"]
}

Example scenario 2:

locals {
  app_name = "Some App"
}

# New resource
data "okta_apps" "some_app" {
  name = local.app_name
  provider = okta.workforce
}

data "okta_app_metadata_saml" "some_app" {
  count    = length(data.okta_apps.some_app.apps) > 0 ? 1 : 0
  app_id   = data.okta_apps.some_app.apps[0].id
  provider = okta.workforce
}

resource "okta_idp_saml" "some_idp" {
  name = "Some IDP"
  issuer = try(data.okta_app_metadata_saml.some_app[0].apps[0].entity_id, "https://temporary-value.apply.again")
  sso_url = try(data.okta_app_metadata_saml.some_app[0].apps[0].http_redirect_binding, "https://temporary-value.apply.again")
  provider = okta.ciam
  ...
}

data "okta_idp_metadata_saml" "some_idp" {
  id = okta_idp_saml.some_idp.id
  provider = okta.ciam
}

resource "okta_app_saml" "some_app" {
  label = local.app_name
  sso_url = data.okta_idp_metadata_saml.some_idp.http_post_binding
  recipient = data.okta_idp_metadata_saml.some_idp.http_post_binding
  destination = data.okta_idp_metadata_saml.some_idp.http_post_binding
  audience = data.okta_idp_metadata_saml.some_idp.entity_id
  provider = okta.workforce
  depends_on = [data.okta_apps.some_app]
  ...
  }

[monde]

Thanks @sgal-dm the apps data source makes sense to me but I'm not clear on how useful it would be. For example, in the example the okta_app_metadata_saml data source assumes the app it is concerned with will be the first app in the list returned by the okta_apps data source. The API makes no guarantees about ordering of apps it returns. Can you elaborate on the use cases. Also, if anyone else in the community is interested in this data source I'd like to hear from them as well.

data "okta_app_metadata_saml" "some_app" {
  count    = length(data.okta_apps.some_app.apps) > 0 ? 1 : 0
  app_id   = data.okta_apps.some_app.apps[0].id
  provider = okta.workforce
}

[exitcode0]

An okta apps data source would be useful for resource sets imo

[monde]

Also, the Okta Management API is going to be improving the apps endpoint for interacting with Okta Integration Network (OIN) apps. Need to take that into consideration.

@exitcode0 can you give me a concrete example?

[exitcode0]

Granting read only admin to a list of apps that all share a given name prefix

I personally don't have a usecase for this right now, but I could see it being useful to me in future

I know the default roles give the ability to scope app admin to a given oin app type, but resource sets would likely end up being more flexible

I could see us having a usecase for granting group membership admin to all groups under a set of apps with a given name prefix , but I'm not sure if the contained resources functionality works with groups assigned to apps

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions]

This issue is stale because it has been open 60 days with no activity. Comment or this will be closed in 5 days

[exitcode0]

@monde I think this one closed out when Stalebot ran next after my most recent PRs - Could we re open this one and remove the stale label?

[exitcode0]

Commenting here to bump this and maybe remove the waiting-response label
but also to comment to mention that I had a use-case for this come up today
I wanted to provide readOnly Admin to all applications of a given type or name e.g all AWS apps or all Salesforce apps

[github-actions]

This issue is stale because it has been open 60 days with no activity. Comment or this will be closed in 5 days

[sgal-dm]

Not stale

[monde]

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-660500

This would be an easy data source to implement. If anyone in the community wants to try their hand at golang, if they haven't already, I'd be more than happy to give some 1-1 pair time to the effort.

[steveAG]

I wrote it along with two other data sources during some travel downtime earlier this month.
🤞 I'll get to testing and submitting a PR this week or next, multiple major work projects have kept me busy since I got home.

[monde]

@steveAG send me an email and I can give you some tips and tricks if you like. mike.mondragon@okta.com

[danielpopskandor]

Also, if anyone else in the community is interested in this data source I'd like to hear from them as well.

@monde I'd like to use a data source like this to have the saml app metadata for every app defined in the org output when terraform is applied, rather than what I'm currently doing which is maintaining a list of all the apps I have defined:

output "saml_app_details" {
  value = {
    for app in [
      # Every saml app we define should be added to this list so their details are output when terraform is applied
      okta_app_saml.a,
      okta_app_saml.b,
      okta_app_saml.c,
    ] : app.label => {
      cert         = app.certificate,
      entity_url   = app.entity_url,
      login_url    = app.http_post_binding,
      metadata     = app.metadata,
      metadata_url = app.metadata_url,
    }
  }
}

I'm aware of patterns such as using for_each for defining the resources (which would let me then reference the collection of resources), but I don't want to build that abstraction layer right now.