Connect with Okta on AWS via Terraform


  • Step 1: Create Indent Space

    • Create a space:

    • Step 1.2: Add others to Indent and upgrade your role

      • On the manage space page, click "Invite" (FYI: this currently does not email the invitees)
      • Add anyone who needs any kind of access as "Viewer"
      • Add anyone else on your team who'll need to request on others behalf others or may need to edit policies as "Editor" (they will still need to "Viewer" too)
      • Grant yourself or whoever is completing the other steps "Creator" role

  • Step 3: Connect Slack to Indent

    • Go to the Connect to Slack page
    • Click Add to Slack, select the test Slack workspace and then select the right Indent space
    • Then you'll land on the App page
    • Expand the Webhook section and keep the Webhook Secret around for Step 5
    • Add @Indent to #access-requests channel (Important!)

  • Step 4: Prepare Okta tenant

    • Create a sandbox (if necessary)
    • Go to Security → API → Tokens (tab) then "Create Token"

      • Name it something like indent-example-[customer]-token
      • Copy the okta token to your clipboard
    • Go to Directory → Groups then "Add Group" called admin & read-admin
    • Go to Security → Administrators then "Add Administrator Group"

      • Grant "Org Admin" access to the group you just created admin
      • Grant "Read Only Admin" access to the group read-admin

  • Step 5: Create and setup your webhook

curl | \
  tar -xz --strip=2 indent-js-master/examples/terraform-aws-okta-webhook && \
  mv terraform-aws-okta-webhook myapp-terraform-aws-okta-webhook
  • Now install the dependencies...
npm run deploy:init # initializes terraform aws provider with ~/.aws/config
npm run deploy:prepare # builds AWS Lambda layers
  • Add the environment variables...
mv terraform/config/example.tfvars terraform/config/terraform.tfvars
# Indent Webhook Secret is used to verify messages from Indent
indent_webhook_secret = "<from-step-3>"
# Okta Tenant is used to route requests to your Okta environment
okta_tenant = ""
# Okta Token is used to authorize requests to your Okta environment
okta_token = "<from-step-4>"
npm run tf:plan
npm run tf:apply

# or if you want to auto-approve deploy
npm run deploy:all
  • Once it's deployed, copy the URL from the endpoints and add to the App

  • Step 6: Add Rules to Indent

    • Add kinds of resources, for okta:
    • Add resource IDs, or leave blank for all
    • Add approvers (individuals who can approve) and, optionally, recipients (public or private channels)
🎉 🎉 🎉 🎉 🎉 Great Job! 🎉 🎉 🎉 🎉 🎉