Assigning a SAML app preconfiguredApp settings to enable the Provisioning Integration API token setting (Snowflake)

[sean-stage]

I have had a search around the Snowflake and Okta pulumi modules for information on how this might be configured but haven't found anything yet, so I'm hoping a quick post here might help.

I use the snowflake Okta app catalog 'preconfiguredApp' to create a SAML application in Okta with the pulumi Okta module. This mirrors the previous manually setup method I use to configure multiple Okta applications for users to sign into various Snowflake accounts.

When having previously set these up manually in the Okta admin console, using the 'snowflake' app catalog template, The "Provisioning" tab of the application has a section labelled "Integration" where you are able to provide a SCIM token (generated in Snowflake from the security integration you create there).

Enabling this and providing the token allows Okta to be able to create/update users assigned to the Snowflake okta application in Snowflake itself. (The create/updates are delegated across to the Snowflake security integration automatically).

I can't figure out how to configure this Okta Snowflake App setting with the Pulumi okta+snowflake modules. (I have already setup the Snowflake ScimIntegration and have got pulumi to generate the SCIM access token successfully) so the last part is just setting up the Provisioning Integration.

What I have:

Snowflake creation of the SCIM integration:

new snowflake.ScimIntegration(sfkAccountName + "_okta_provisioning_integration", {
    name: scimIntegrationName,
    enabled: true,
    scimClient: "OKTA",
    syncPassword: "false",
    runAsRole: oktaProvisionerRoleName,
}, { provider: provider });

const genTokenSql = `select system$generate_scim_access_token('${scimIntegrationName}');`;
const scimToken = new snowflake.UnsafeExecute(sfkAccountName + "_generate_scim_access_token_" + scimTokenSeed, {
    execute: genTokenSql,
    revert: genTokenSql,
    query: genTokenSql,
}, { provider: provider });

(I would assume the above scimToken value will be passed through to the Okta Application for the Provisioning integration).

Okta creation of the 'snowflake' app catalog SAML app:

const samlApp = new okta.app.Saml(sfkAccountName + "_okta_snowflake_app", {
    preconfiguredApp: "snowflake",
    label: `Snowflake (${project}-${environment})`,
    appSettingsJson: JSON.stringify({
        subDomain: sfkAccountWithOrgName.toLowerCase(),
    }),
}, { provider: oktaProvider });

So with the above two done, I now need to know how to enable the Okta Snowflake app's Provisioning integration. This is what the area looks like when configured 'by hand' in the Okta Admin console:

[VenelinMartinov]

Hey @sean-stage. Thanks for the question. Unfortunately, this is probably not the best place to ask this as we are not necessarily experts with Okta and Snowflake.

The way a lot of pulumi providers work and Snowflake and Okta specifically is that they wrap the Terraform provider maintained by Snowflake and Okta, respectively. They are probably better suited to answer your question as they understand their products much better.

Once you have the relevant terraform resources to configure the snowflake app, you should be able to translate into pulumi either by mapping the resource name yourself (they are named quite similarly) or using pulumi AI for example: https://www.pulumi.com/ai

In case the terraform providers are not able to configure the snowflake app, then pulumi would not able to either as we support the same set of resources, so we'd need to wait for support upstream. Hope this helps! Let me know if you have any other questions.

[sean-stage]

Thanks @VenelinMartinov - that makes sense. I've had a look already through the upstream terraform provider for okta but couldn't see what I needed - but its clear now that I should ask this question there, so will do so. Thanks!