Merge pull request cloudflare#3579 from BSFishy/access_policy_okta

fix: handle multiple okta idps in access policies
alyssamw · Aug 9, 2024 · 751fdf3 · 751fdf3
2 parents ddce6a4 + 8c9c810
commit 751fdf3
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/.changelog/3579.txt b/.changelog/3579.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_access_policy: handle multiple okta idps in access policies
+```
diff --git a/internal/sdkv2provider/resource_cloudflare_access_group.go b/internal/sdkv2provider/resource_cloudflare_access_group.go
@@ -430,8 +430,7 @@ func TransformAccessGroupForSchema(ctx context.Context, accessGroup []interface{
 	authMethod := ""
 	geos := []string{}
 	loginMethod := []string{}
-	oktaID := ""
-	oktaGroups := []string{}
+	oktaGroups := []map[string]interface{}{}
 	gsuiteID := ""
 	gsuiteEmails := []string{}
 	githubName := ""
@@ -507,8 +506,22 @@ func TransformAccessGroupForSchema(ctx context.Context, accessGroup []interface{
 				}
 			case "okta":
 				oktaCfg := groupValue.(map[string]interface{})
-				oktaID = oktaCfg["identity_provider_id"].(string)
-				oktaGroups = append(oktaGroups, oktaCfg["name"].(string))
+				oktaIdPID := oktaCfg["identity_provider_id"].(string)
+				oktaGroupName := oktaCfg["name"].(string)
+
+				var oktaGroup map[string]interface{}
+				for _, og := range oktaGroups {
+					if og["identity_provider_id"] == oktaIdPID {
+						oktaGroup = og
+						break
+					}
+				}
+
+				if len(oktaGroup) == 0 {
+					oktaGroups = append(oktaGroups, map[string]interface{}{"identity_provider_id": oktaIdPID, "name": []string{oktaGroupName}})
+				} else {
+					oktaGroup["name"] = append(oktaGroup["name"].([]string), oktaGroupName)
+				}
 			case "gsuite":
 				gsuiteCfg := groupValue.(map[string]interface{})
 				gsuiteID = gsuiteCfg["identity_provider_id"].(string)
@@ -624,13 +637,8 @@ func TransformAccessGroupForSchema(ctx context.Context, accessGroup []interface{
 		groupMap["login_method"] = loginMethod
 	}
 
-	if len(oktaGroups) > 0 && oktaID != "" {
-		groupMap["okta"] = []interface{}{
-			map[string]interface{}{
-				"identity_provider_id": oktaID,
-				"name":                 oktaGroups,
-			},
-		}
+	if len(oktaGroups) > 0 {
+		groupMap["okta"] = oktaGroups
 	}
 
 	if len(gsuiteEmails) > 0 && gsuiteID != "" {