Automating Okta Configuration with Terraform: A Step-by-Step Guide

Uncategorized 5 Minutes

This article will cover Okta configuration with Terraform. Utilizing Terraform, you can automate the deployment and management of resources, including users, groups, applications, and security policies This blog will guide you through setting up Zoom SAML application, MFA policies, and network zones in Okta all using Terraform Additionally, we’ll explore the benefits of using Terraform for managing Okta configurations and provide links to additional resources.

Agenda:

  1. Introduction to Terraform and Okta Integration
  2. Setting Up the Environment
    • Required tools and accounts.
    • Configuring the Okta provider in Terraform.
  3. Creating Resources with Terraform
    • Automating User and Group Creation.
    • Setting Up a SAML Application (Zoom) with Custom Attributes.
    • Implementing MFA and Password Policies.
    • Configuring Network Zones.
  4. Practical Use Cases
    • Where and why this automation is useful.
    • Example scenarios in enterprise environments.
  5. Additional Resources
    • Exploring more Terraform examples on GitHub.
  6. Conclusion
    • Recap of key points.
    • Next steps and further reading.

Introduction to Terraform and Okta Integration

Managing Okta configurations across multiple environments can be a complex task, especially as your organization scales. Terraform, an open-source Infrastructure as Code (IaC) tool, allows you to automate and standardize these configurations, ensuring consistency and reducing the likelihood of manual errors. IaC also allows configurations to be change-managed in a source control tool like GitHub.

Setting Up the Environment

Before we dive into the Terraform configuration, ensure you have the following:

Required Tools

  • Terraform: Installed on your local machine. You can download it from the official Terraform website.
  • Okta Account: You need an Okta tenant with API access. You can create a free developer account if you don’t have one.
  • Okta API Token: Generate an API token from the Okta Admin Console.

Configuring the Okta Provider in Terraform

Start by defining the Okta provider in your Terraform configuration file. The provider block specifies the Okta tenant you’re working with:

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "~> 3.0"
    }
  }
}

provider "okta" {
  org_name  = "YOUR_ORG_NAME"
  base_url  = "YOUR_BASE_URL"
  api_token = "YOUR_OKTA_API_TOKEN"
}

Replace YOUR_ORG_NAME and `YOUR_BASE_URL` with your tenant’s name and url, and replace YOUR_OKTA_API_TOKEN with the API token you generated from your Okta account.

This can be done easily following the below steps –

Log in to Okta Admin Console:
Go to https://{yourOktaDomain}-admin.okta.com and log in with your admin credentials.

Go to Security > API:
In the left menu, click Security, then choose API.

Create Token:
Under the Tokens tab, click Create Token. Name the token, then click Create.

Copy the Token:
Copy the token immediately and store it securely, as it won’t be shown again.

Creating Resources with Terraform

Automating User and Group Creation

To demonstrate Terraform’s capabilities, let’s start by creating a user and a group in Okta:

# Users
resource "okta_user" "jdoe" {
  first_name = "John"
  last_name  = "Doe"
  email      = "jdoe@example.com"
  login      = "jdoe@example.com"
  provider   = okta
}

# Groups
resource "okta_group" "developers" {
  name        = "Developers"
  description = "Group for all developer accounts created with Terraform"
}

This configuration creates a user named John Doe and a group called Developers. We will deploy all these configurations in the end after the file is ready.

Setting Up a SAML Application (Zoom) with Custom Attributes

Next, we’ll configure a SAML application for Zoom, complete with custom attribute statements:

# SAML Application (Zoom) with Attribute Statements
resource "okta_app_saml" "zoom" {
  label                    = "Zoom"
  sso_url                  = "https://zoom.us/saml/SSO"
  recipient                = "https://zoom.us/saml/SSO"
  destination              = "https://zoom.us/saml/SSO"
  audience                 = "https://zoom.us/saml/SSO"
  subject_name_id_template = "$${source.login}"
  subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
  response_signed          = true
  assertion_signed         = true
  signature_algorithm      = "RSA_SHA1"
  digest_algorithm         = "SHA1"
  honor_force_authn        = true
  authn_context_class_ref  = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

  attribute_statements {
    name      = "Email"
    namespace = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    values    = ["${okta_user.jdoe.email}"]
  }

  attribute_statements {
    type         = "GROUP"
    name         = "Group"
    filter_type  = "STARTS_WITH"
    filter_value = "Developers"
  }

  acs_endpoints = ["https://zoom.us/saml/SSO", "https://okta.com"]
}

This block sets up Zoom as a SAML application in Okta, with attribute statements that map the user’s email and group information.

Implementing MFA

Security policies like MFA and password rules are crucial for protecting user accounts. Here’s how you can define them:

# MFA Policy for Zoom
data "okta_group" "all" {
  name = "Everyone"
}

resource "okta_factor" "okta_email" {
  provider_id = "okta_email"
}

resource "okta_factor" "google_otp" {
  provider_id = "google_otp"
}

resource "okta_policy_mfa" "zoom_mfa_policy" {
  name        = "Zoom MFA Policy"
  status      = "ACTIVE"
  description = "MFA Policy for Zoom Application"

  okta_email = {
    enroll = "REQUIRED"
  }

  google_otp = {
    enroll = "REQUIRED"
  }

  groups_included = [data.okta_group.all.id]
  depends_on      = [okta_factor.okta_email, okta_factor.google_otp]
}

resource "okta_policy_password" "zoom_password_policy" {
  name                   = "Zoom Password Policy"
  status                 = "ACTIVE"
  description            = "Password Policy for Zoom Application"
  password_history_count = 5
  groups_included        = [data.okta_group.all.id]
}

This configuration ensures that all users are required to enroll in MFA and sets a basic password policy.

Configuring Network Zones

Network zones help secure your environment by restricting access based on IP ranges or geographic locations:

# Network Zones for Zoom
resource "okta_network_zone" "ip_network_zone_zoom" {
  name     = "Zoom IP Network Zone"
  type     = "IP"
  gateways = ["192.168.1.0/24", "10.0.0.0/16"]
  proxies  = ["172.16.0.0/12", "192.168.0.0/16"]
}

resource "okta_network_zone" "dynamic_network_zone_zoom" {
  name              = "Zoom Dynamic Network Zone"
  type              = "DYNAMIC"
  dynamic_locations = ["US", "CA"]
}

This setup creates two network zones: one based on IP ranges and another based on dynamic geographic locations.

Now that we have set up everything, we will run the configuration to deploy everything to our Okta Tenant.

We start with terraform init to set up the provider.

Followed by terraform plan to preview the changes. 

Finally, we execute terraform apply to apply these changes to the Okta tenant.

Once we follow these steps, all the configurations will be sent over to our Okta tenant. Below are some screenshots that show the changes.

Here’s the Zoom MFA Policy that got created.

Similarly, below are the network zones that were created as well.

To see all the changes and a more detailed process to set this up, check out this video tutorial that walks through everything explained above! –

Practical Use Cases

Why and Where this Automation is useful?

  • Multi-Tenant Environments: Enterprises managing multiple Okta tenants can deploy consistent configurations across all environments.
  • Rapid Scaling: Quickly onboard new applications, users, and policies as the organization grows.
  • Migration and Configuration: Streamline the process of migrating configurations between environments or tenants, ensuring a smooth and consistent setup.

These configurations are particularly useful in large organizations where consistency, speed, and security is top priority..

Additional Resources

For more examples and advanced configurations, check out the official Okta Terraform provider GitHub repository:

This repository contains a wide variety of examples that can help you create more complex configurations, such as custom applications, advanced MFA policies, and more.

Conclusion

By integrating Terraform with Okta, IT administrators can automate and streamline the management of users, groups, applications, and security policies across multiple environments. This blog has provided a detailed walkthrough of setting up key configurations, ensuring that you can maintain consistency and security in your Okta environments.

Explore the additional resources provided to further enhance your Terraform configurations and manage your Okta environments more effectively.

If you have further questions, feel free to comment below!

Huge shoutout to @yazanbikawi and Jay Venkatraj for helping me formulate this!

Sohini

Published by Sohini Pattanayak

I work as a Solutions Engineer at Okta, where I enhance customer engagements with technical expertise. I'm passionate about empowering others through knowledge, I thrive on teaching what I've mastered. With over four years in developer advocacy and product management, I've driven innovations and community initiatives with a proven track record in technical product development, and delivering effective tech solutions across various platforms. I love singing to Backstreet Boys with my guitar and enjoy melodic trance and good vibes trance a lot! Dedicated to continuous learning and mutual growth, I find joy in sharing and gaining knowledge.

Published

4 thoughts on “Automating Okta Configuration with Terraform: A Step-by-Step Guide

  3. Thank you for this great post ! Would it be possible to manage directory integrations and more specifically group assignment and provisioning to specific OUs?

    Reply

Leave a Reply