Terraform Cloud Okta Warden
Project description
Terraform Cloud Okta Warden
What is this?
If you use Terraform Cloud and have configured SSO for it via Okta (or any other IdP), it's critical to be aware of the fact that login via SSO is not always enforced by Terraform Cloud.
In certain scenarios (as tested in February 2024), one can still access your Terraform Cloud organization even if their account in the IdP is de-provisioned:
-
If you have not taken steps to ensure when a user is de-provisioned your IdP, their TFC account is also removed from your Terraform Cloud organization. This does not happen automatically as TFC does not support SCIM, so it has to be a manual process as part of users' off-boarding flow, or you must implement a custom solution using your IdP's API/Workflows and TFC API.
-
If the user had set the password (with optional TOTP as 2FA) to their TFC account and they might still have the credentials stored.
Then they can login to Terraform Cloud, but cannot access your Organization via UI (they will be prompted to re-login with SSO). However, they can create an API token and regain the same level of access they had before their account was de-provisioned. Any API tokens they had created before would also keep working (and, for example, allow them to
terraform destroyany infra they had access to). -
If the user was a member of the
ownerteam of your TFC organization, they can bypass SSO entirely and regain their access both via the UI and API.
This behaviour is working "as designed" by HashiCorp - presumably as a break-glass measure. Check out their SSO documentation for more details.
If you use Okta as your IdP, and any of the above scenarios apply to you, this small CLI would help you flag the user accounts which are de-provisioned in Okta, but are still active in your TFC organization.
Requirements
- API tokens for Okta and Terraform Cloud (or Enterprise) with access to list users. These can be provided via environment variables (see Usage).
Installation
You can install Terraform Cloud Okta Warden via pip from PyPI:
$ pip install terraform-cloud-okta-warden
Usage
❯ terraform-cloud-okta-warden --help
Usage: terraform-cloud-okta-warden [OPTIONS] OKTA_TOKEN TFC_TOKEN
Checks for existence of non-active Okta users in Terraform Cloud organization.
Non-active users are those who are missing or de-provisioned in Okta.
╭─ Arguments ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * okta_token TEXT Okta API token with access to list users [env var: OKTA_TOKEN] [default: None] [required] │
│ * tfc_token TEXT Terraform Cloud token with access to list users [env var: TFC_TOKEN] [default: None] [required] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * --okta-org-url TEXT Your Okta domain url (e.g. https://mycompany.okta.com) [default: None] [required] │
│ * --tfc-org-name TEXT Terraform Cloud Organization name [default: None] [required] │
│ --tfc-url TEXT Defaults to Terraform Cloud, provide the URL if you use Terraform Enterprise [default: https://app.terraform.io] │
│ --version │
│ --log-level TEXT [default: INFO] │
│ --install-completion Install completion for the current shell. │
│ --show-completion Show completion for the current shell, to copy it or customize the installation. │
│ --help Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Contributing
Contributions are very welcome. To learn more, see the Contributor Guide.
License
Distributed under the terms of the Apache 2.0 license, Terraform Cloud Okta Warden is free and open source software.
Issues
If you encounter any problems, please file an issue along with a detailed description.
Credits
This project was generated from [@cjolowicz]'s Hypermodern Python Cookiecutter template.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for terraform_cloud_okta_warden-0.2.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 0e9c199b1db10b54d8f570b2c2fa3c70f098ad02ca966a5a6bfb097fb8ef2f79 |
|
| MD5 | 5b873c2c58349589678a48d36bd243f2 |
|
| BLAKE2b-256 | 850dcdbefed09ccb5632e08bd435b271254d4d4cf9977a0ff7f6d8e4979e0ff8 |
Hashes for terraform_cloud_okta_warden-0.2.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 3139d251148b2487751fd791d498bf99000fb16e465f9918790eb1f8809e80ac |
|
| MD5 | 54e1c5e5becd1315edad088dd4ed7c10 |
|
| BLAKE2b-256 | 4926ceefe43b3e562890d0737ca24c0a443cc983219a0fef24864cb8e8b72be9 |
