Connect with Okta on AWS via Terraform

Prerequisites

• Node v10+ — can find out by running node --version should also have npx

  • via package manager
  • via node version manager
• Terraform — installation docs

• Cloud credentials

  • Okta — Group Manager role for required Groups
  • AWS — IAM policy for deploying AWS Lambda

• Step 1: Create Indent Space

  • Create a space: indent.com/spaces/new

  • Step 1.2: Add others to Indent and upgrade your role

    • On the manage space page, click "Invite" (FYI: this currently does not email the invitees)
    • Add anyone who needs any kind of access as "Viewer"
    • Add anyone else on your team who'll need to request on others behalf others or may need to edit policies as "Editor" (they will still need to "Viewer" too)
    • Grant yourself or whoever is completing the other steps "Creator" role

• Step 2: Create Slack workspace (if necessary)

  • Create a workspace https://slack.com/get-started#/create
  • Create a channel called #access-requests

• Step 3: Connect Slack to Indent

  • Go to the Connect to Slack page https://indent.com/catalog/slack/start
  • Click Add to Slack, select the test Slack workspace and then select the right Indent space
  • Then you'll land on the App page
  • Expand the Webhook section and keep the Webhook Secret around for Step 5
  • Add @Indent to #access-requests channel (Important!)

• Step 4: Prepare Okta tenant

  • Create a sandbox https://developer.okta.com/signup/ (if necessary)

  • Go to Security → API → Tokens (tab) then "Create Token"

    • Name it something like indent-example-[customer]-token
    • Copy the okta token to your clipboard
  • Go to Directory → Groups then "Add Group" called admin & read-admin

  • Go to Security → Administrators then "Add Administrator Group"

    • Grant "Org Admin" access to the group you just created admin
    • Grant "Read Only Admin" access to the group read-admin

• Step 5: Create and setup your webhook

  • Clone the Okta on AWS via Terraform Webhook from the indentapis/indent-js repo...

curl https://codeload.github.com/indentapis/indent-js/tar.gz/master | \
  tar -xz --strip=2 indent-js-master/examples/terraform-aws-okta-webhook && \
  mv terraform-aws-okta-webhook myapp-terraform-aws-okta-webhook

• Now install the dependencies...

npm run deploy:init # initializes terraform aws provider with ~/.aws/config
npm run deploy:prepare # builds AWS Lambda layers

• Add the environment variables...

mv terraform/config/example.tfvars terraform/config/terraform.tfvars

# Indent Webhook Secret is used to verify messages from Indent
indent_webhook_secret = "<from-step-3>"
# Okta Tenant is used to route requests to your Okta environment
okta_tenant = "example.okta.com"
# Okta Token is used to authorize requests to your Okta environment
okta_token = "<from-step-4>"

npm run tf:plan
npm run tf:apply

# or if you want to auto-approve deploy
npm run deploy:all

• Once it's deployed, copy the URL from the endpoints and add to the App

• Step 6: Add Rules to Indent

  • Add kinds of resources, for okta: okta.v1.group
  • Add resource IDs, or leave blank for all
  • Add approvers (individuals who can approve) and, optionally, recipients (public or private channels)