Merge branch 'master' into develop

.env.sample

@@ -1,3 +1,6 @@
 OKTA_API_TOKEN=<api token>
 OKTA_ORG_NAME=<org>
 OKTA_BASE_URL=oktapreview.com
+
+# Uncomment line below to get debug log output, this will allow you to see every HTTP request
+# TF_LOG=debug

CHANGELOG.md

@@ -1,3 +1,46 @@
 For Release v3.0.0:
 
 * Updated provider protocol version to v5 to support Terraform v0.12.0
+
+For Release v3.0.1
+
+* Add some missing okta_idp_saml settings
+* Add registration inline hook type
+
+For Release v3.0.2
+
+* Use backoff/retries functionality for XML API calls
+
+For Release v3.0.3
+
+* Add okta_idp_saml data source
+* Support import user by email
+
+For Release v3.0.4
+
+* Change type of custom_profile_attributes from map to JSON string to support all types
+* Add okta_app_saml data source
+* Add okta_app_metadata_saml data source
+* Add okta_idp_metadata_saml data source
+
+For Release v3.0.5
+
+* Fix bug introduced in v3.0.4. User data source was not updated to the new caustom_profile_attribute type
+* Added test to cover this scenario, tests were passiing
+
+For Release v3.0.6
+
+* Allow client_id to be set on OIDC application, while also maintaining the computed version. With some auth methods, such as basic auth, this is possible.
+
+For Release v3.0.7
+
+* Add group_assignments for SAML and social IdPs
+
+For Release v3.0.8
+
+* Add issuer_mode to social IdP. Our test org does not have a custom domain setup, thus it was working there but not in other orgs. Hard to test both scenarios in one org.
+
+For Release v3.0.9
+
+* Add okta_template_email resource for defining Custom Email Templates
+* Add okta_group_roles resource for defining the admin roles tied to a group

DEVELOPMENT.md

@@ -56,6 +56,9 @@ Acceptance tests are run against real infrastructure and thus require credential
 ```shell
 cp .env.sample .env
 dotenv make testacc
+
+# Or run a particular test
+TEST_FILTER=TestAccDataSourceAppSaml dotenv make testacc
 ```
 
 ## Creating a PR

README.md

@@ -16,6 +16,10 @@ This provider plugin is maintained by the Terraform team at [Articulate](https:/
 - [Terraform](https://www.terraform.io/downloads.html) 0.12.x
 - [Go](https://golang.org/doc/install) 1.12 (to build the provider plugin)
 
+## Demo
+
+For a more in depth holistic usage demo, [see our demo repository here](https://github.com/articulate/terraform-provider-okta-demos).
+
 ## Usage
 
 This plugin requires two inputs to run: the okta organization name and the okta api token. The okta base url is not required and will default to "okta.com" if left out.

examples/README.md

@@ -5,7 +5,6 @@ Here lies the examples that will aid you on your Okta Terraform journey. PLEASE
 ## Example Stacks
 
 * [Okta and Cognito](./oidc-cognito-stack.tf) Example of using Okta OIDC application with a Cognito ID Provider to provide a serverless SPA access to AWS resources.
-* [Various Examples](./blog_examples) A few examples featured in an Okta blog.
 
 ## Test Fixture Examples
 
@@ -14,12 +13,14 @@ Anything that lies underneath a resource directory is config we use as fixtures
 ## Resources & Data Sources
 
 * [okta_app_saml](./okta_app_saml) Supports the management of Okta SAML Applications.
+* [okta_app_metadata_saml](./okta_app_metadata_saml) Data source for SAML app metadata.
 * [okta_app_oauth](./okta_app_oauth) Supports the management of Okta OIDC Applications.
 * [okta_app_bookmark](./okta_app_bookmark) Supports the management Okta Bookmark Application.
 * [okta_app](./okta_app) Generic Application data source.
 * [okta_user](./okta_user) Supports the management of Okta Users.
 * [okta_users](./okta_users) Data source to retrieve a group of users.
 * [okta_group](./okta_group) Supports the management of Okta Groups.
+* [okta_group_roles](./okta_group_roles) Supports the management of Okta Group Administrator Roles.
 * [okta_group_rule](./okta_group_rule) Supports the management of Okta Group Rules.
 * [okta_trusted_origin](./okta_trusted_origin) Supports the management of Okta Trusted Sources and Origins.
 * [okta_user_schemas](./okta_user_schemas) Supports the management of Okta User Profile Attribute Schemas.
@@ -33,10 +34,12 @@ Anything that lies underneath a resource directory is config we use as fixtures
 * [okta_idp_social](./okta_idp_social) Supports the management of Okta Social Identity Providers. Such as Google, Facebook, Microsoft, and LinkedIn.
 * [okta_idp_saml](./okta_idp_saml) Supports the management of Okta SAML Identity Providers.
 * [okta_network_zone](./okta_network_zone) Supports the management of Okta Network Zones for whitelisting IPs or countries dynamically.
+* [okta_idp_metadata_saml](./okta_app_metadata_saml) Data source for SAML IdP metadata.
 * [okta_policy_signon](./okta_policy_signon) Supports the management of sign on policies.
 * [okta_policy_rule_signon](./okta_policy_rule_signon) Supports the management of sign on policy rules.
 * [okta_policy_mfa](./okta_policy_mfa) Supports the management of MFA policies.
 * [okta_policy_password](./okta_policy_password) Supports the management of password policies.
+* [okta_template_email](./okta_template_email) Supports the management of custom email templates.
 * [okta_app_oauth_redirect_uri](./okta_app_oauth_redirect_uri) Supports decentralizing redirect uri config. Due to Okta's API not allowing this field to be null, you must set a redirect uri in your app, and ignore changes to this attribute. We follow TF best practices and detect config drift. The best case scenario is Okta makes this field nullable and we can not detect config drift when this attr is not present.
 
 ## Deprecated Resources

examples/okta_app_metadata_saml/datasource.tf

@@ -0,0 +1,19 @@
+resource okta_app_saml test {
+  label                    = "testAcc_replace_with_uuid"
+  sso_url                  = "http://google.com"
+  recipient                = "http://here.com"
+  destination              = "http://its-about-the-journey.com"
+  audience                 = "http://audience.com"
+  subject_name_id_template = "$${user.userName}"
+  subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  response_signed          = true
+  signature_algorithm      = "RSA_SHA256"
+  digest_algorithm         = "SHA256"
+  honor_force_authn        = false
+  authn_context_class_ref  = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+}
+
+data okta_app_metadata_saml test {
+  app_id = "${okta_app_saml.test.id}"
+  key_id = "${okta_app_saml.test.key_id}"
+}

examples/okta_app_oauth/oauth_app.tf

@@ -1,7 +1,10 @@
 resource "okta_app_oauth" "test" {
-  label          = "testAcc_replace_with_uuid"
-  type           = "web"
-  grant_types    = ["authorization_code"]
-  redirect_uris  = ["http://d.com/"]
-  response_types = ["code"]
+  label                      = "testAcc_replace_with_uuid"
+  type                       = "web"
+  grant_types                = ["authorization_code"]
+  redirect_uris              = ["http://d.com/"]
+  response_types             = ["code"]
+  client_basic_secret        = "something_from_somewhere"
+  custom_client_id           = "something_from_somewhere"
+  token_endpoint_auth_method = "client_secret_basic"
 }

examples/okta_app_saml/README.md

@@ -2,6 +2,10 @@
 
 This resource represents an Okta SAML Application in various configuration states. For more information see the [API docs](https://developer.okta.com/docs/api/resources/apps#add-custom-saml-application)
 
+* Example of a custom SAML app [can be found here](./custom_saml_app.tf)
+* Example of an AWS preconfigured SAML app [can be found here](./saml_app_with_groups_and_users.tf)
+* Example of SAML App data source [can be found here](./datasource.tf)
+
 ## Preconfigured Applications
 
 There are some configuration options that cannot be configured on certain "preconfigured" OAuth applications due to limitations in the Okta API.

examples/okta_app_saml/custom_saml_app_all_fields.tf

@@ -20,6 +20,7 @@ resource "okta_app_saml" "testAcc_replace_with_uuid" {
   }
 
   attribute_statements {
+    type         = "GROUP"
     name         = "Attr Two"
     filter_type  = "STARTS_WITH"
     filter_value = "test"

examples/okta_app_saml/datasource.tf

@@ -0,0 +1,22 @@
+resource okta_app_saml test {
+  label                    = "testAcc_replace_with_uuid"
+  sso_url                  = "http://google.com"
+  recipient                = "http://here.com"
+  destination              = "http://its-about-the-journey.com"
+  audience                 = "http://audience.com"
+  subject_name_id_template = "$${user.userName}"
+  subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  response_signed          = true
+  signature_algorithm      = "RSA_SHA256"
+  digest_algorithm         = "SHA256"
+  honor_force_authn        = false
+  authn_context_class_ref  = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+}
+
+data okta_app_saml test {
+  id = "${okta_app_saml.test.id}"
+}
+
+data okta_app_saml test_label {
+  label = "${okta_app_saml.test.label}"
+}

examples/okta_group_roles/README.md

@@ -0,0 +1,6 @@
+# okta_group_roles
+
+Represents an Okta Group Admin Roles. [See Okta documentation for more details](https://developer.okta.com/docs/reference/api/roles/#list-roles-assigned-to-group).
+
+* Example of a group assigned as a SUPER_ADMIN [can be found here](./basic.tf)
+* Example of a group assigned to all roles [can be found here](./all_roles.tf)

examples/okta_group_roles/all_roles.tf

@@ -0,0 +1,19 @@
+resource okta_group test {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource okta_group_roles test {
+  group_id = "${okta_group.test.id}"
+
+  admin_roles = [
+    "SUPER_ADMIN",
+    "ORG_ADMIN",
+    "API_ACCESS_MANAGEMENT_ADMIN",
+    "APP_ADMIN",
+    "USER_ADMIN",
+    "MOBILE_ADMIN",
+    "READ_ONLY_ADMIN",
+    "HELP_DESK_ADMIN",
+  ]
+}

examples/okta_group_roles/basic.tf

@@ -0,0 +1,9 @@
+resource okta_group test {
+  name        = "testAcc_replace_with_uuid"
+  description = "testing"
+}
+
+resource okta_group_roles test {
+  group_id    = "${okta_group.test.id}"
+  admin_roles = ["SUPER_ADMIN"]
+}