hashicorp · paddycarver · Feb 13, 2018 · Jul 23, 2017 · Oct 24, 2017
diff --git a/vault/okta.go b/vault/okta.go
@@ -0,0 +1,154 @@
+package vault
+
+import (
+	"fmt"
+	"github.com/hashicorp/vault/api"
+	"strings"
+)
+
+type oktaUser struct {
+	Username string
+	Groups   []string
+	Policies []string
+}
+
+type oktaGroup struct {
+	Name     string
+	Policies []string
+}
+
+func isOktaUserPresent(client *api.Client, path, username string) (bool, error) {
+	secret, err := client.Logical().Read(oktaUserEndpoint(path, username))
+	if err != nil {
+		return false, err
+	}
+
+	return secret != nil, err
+}
+
+func listOktaUsers(client *api.Client, path string) ([]string, error) {
+	secret, err := client.Logical().List(oktaUserEndpoint(path, ""))
+	if err != nil {
+		return []string{}, err
+	}
+
+	if secret == nil || secret.Data == nil {
+		return []string{}, nil
+	}
+
+	if v, ok := secret.Data["keys"]; ok {
+		return toStringArray(v.([]interface{})), nil
+	}
+
+	return []string{}, nil
+}
+
+func readOktaUser(client *api.Client, path string, username string) (*oktaUser, error) {
+	secret, err := client.Logical().Read(oktaUserEndpoint(path, username))
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &oktaUser{
+		Username: username,
+		Groups:   toStringArray(secret.Data["groups"].([]interface{})),
+		Policies: toStringArray(secret.Data["policies"].([]interface{})),
+	}, nil
+}
+
+func updateOktaUser(client *api.Client, path string, user oktaUser) error {
+	_, err := client.Logical().Write(oktaUserEndpoint(path, user.Username), map[string]interface{}{
+		"groups":   strings.Join(user.Groups, ","),
+		"policies": strings.Join(user.Policies, ","),
+	})
+
+	return err
+}
+
+func deleteOktaUser(client *api.Client, path, username string) error {
+	_, err := client.Logical().Delete(oktaUserEndpoint(path, username))
+	return err
+}
+
+func isOktaAuthBackendPresent(client *api.Client, path string) (bool, error) {
+	auths, err := client.Sys().ListAuth()
+	if err != nil {
+		return false, fmt.Errorf("error reading from Vault: %s", err)
+	}
+
+	configuredPath := path + "/"
+
+	for authBackendPath, auth := range auths {
+
+		if auth.Type == "okta" && authBackendPath == configuredPath {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func isOktaGroupPresent(client *api.Client, path, name string) (bool, error) {
+	secret, err := client.Logical().Read(oktaGroupEndpoint(path, name))
+	if err != nil {
+		return false, err
+	}
+
+	return secret != nil, err
+}
+
+func listOktaGroups(client *api.Client, path string) ([]string, error) {
+	secret, err := client.Logical().List(oktaGroupEndpoint(path, ""))
+	if err != nil {
+		return []string{}, err
+	}
+
+	if secret == nil || secret.Data == nil {
+		return []string{}, nil
+	}
+
+	if v, ok := secret.Data["keys"]; ok {
+		return toStringArray(v.([]interface{})), nil
+	}
+
+	return []string{}, nil
+}
+
+func readOktaGroup(client *api.Client, path string, name string) (*oktaGroup, error) {
+	secret, err := client.Logical().Read(oktaGroupEndpoint(path, name))
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &oktaGroup{
+		Name:     name,
+		Policies: toStringArray(secret.Data["policies"].([]interface{})),
+	}, nil
+}
+
+func updateOktaGroup(client *api.Client, path string, group oktaGroup) error {
+	_, err := client.Logical().Write(oktaGroupEndpoint(path, group.Name), map[string]interface{}{
+		"policies": strings.Join(group.Policies, ","),
+	})
+
+	return err
+}
+
+func deleteOktaGroup(client *api.Client, path, name string) error {
+	_, err := client.Logical().Delete(oktaGroupEndpoint(path, name))
+	return err
+}
+
+func oktaConfigEndpoint(path string) string {
+	return fmt.Sprintf("/auth/%s/config", path)
+}
+
+func oktaUserEndpoint(path, username string) string {
+	return fmt.Sprintf("/auth/%s/users/%s", path, username)
+}
+
+func oktaGroupEndpoint(path, groupName string) string {
+	return fmt.Sprintf("/auth/%s/groups/%s", path, groupName)
+}
diff --git a/vault/provider.go b/vault/provider.go
@@ -96,6 +96,9 @@ func Provider() terraform.ResourceProvider {
 			"vault_aws_auth_backend_sts_role": awsAuthBackendSTSRoleResource(),
 			"vault_aws_secret_backend":        awsSecretBackendResource(),
 			"vault_aws_secret_backend_role":   awsSecretBackendRoleResource(),
+			"vault_okta_auth_backend":         oktaAuthBackendResource(),
+			"vault_okta_auth_backend_user":    oktaAuthBackendUserResource(),
+			"vault_okta_auth_backend_group":   oktaAuthBackendGroupResource(),
 			"vault_generic_secret":            genericSecretResource(),
 			"vault_policy":                    policyResource(),
 			"vault_mount":                     mountResource(),