okta/terraform-provider-oktapam

TF feedback/issue notes

OKirwinW opened this issue · 1 comments

Feedback submission:

For the most part the the TF provider is functional but there are a few gaps in attributes.
Please include code blocks for examples on how to use the provider resources and data attributes.

  • Also for Validating labels:
    Internal validation within the product itself. Currently, I can assign a label for a gateway that does not exist via Terraform.

  • There's also some wording on assigning gateways:

  • `gateway_selector (String) Assigns ASA Gateways with labels matching all selectors. At least one selector is required for traffic forwarding.
    You can only assign one, what do they mean by ‘at least’

The documentation on this resource needs adjustment.

  • call it project_group_attachment and call it out in both the oktapam_group and oktapam_project docs in a note-box stating it’s requirement to pair those two resources together.
  • not clear to how to couple oktapam_group , oktapam_project with the Okta provider for group
    If there’s a depends_on conditional I need to throw out if I’m creating an Okta Group and assigning to the Okta ASA Template as a push-group.
    (Likely question if they’re running a multi-provider Okta/OktaPAM Terraform run)

General feedback is to add more polish to validation rules, especially for attributes that are being created by the resource, or referencing pre-existing items within the dashboard. Gateway Selectors are a great example for this.

Thank you for the feedback @OKirwinW. As there are multiple items in this submission I will leave this issue open and respond here in the comments for some of the issues. For the remaining issues, our developers will review this issue on a best effort basis and post questions if needed to clarify any of the feedback.

On this item

`gateway_selector (String) Assigns ASA Gateways with labels matching all selectors. At least one selector is required for traffic forwarding.
You can only assign one, what do they mean by ‘at least’

Our API allows for multiple gateway labels to be associated with a Project as shown in current UI and API. Therefore this wording is correct.

not clear to how to couple oktapam_group , oktapam_project with the Okta provider for group
If there’s a depends_on conditional I need to throw out if I’m creating an Okta Group and assigning to the Okta ASA Template as a push-group.
(Likely question if they’re running a multi-provider Okta/OktaPAM Terraform run)

Note that the groups in ASA are locally created groups provisioned by SCIM from Okta to mirror Okta groups. This is by design because ASA does allow for local groups to be created in ASA that aren't mirrored from Okta. Putting a depends_on conditional in the OktaPAM Terraform provider to link it to the Okta provider that would not support the general case of allowing the OktaPAM provider to work with both Okta SCIM provisioned groups and locally created Okta groups.