fix: handle multiple okta idps in access policies

Signed-off-by: Matt Provost <[email protected]>
cloudflare · Aug 7, 2024 · dc20fbb · dc20fbb
1 parent 81399ba
commit dc20fbb
Showing 1 changed file with 19 additions and 11 deletions.
diff --git a/internal/sdkv2provider/resource_cloudflare_access_group.go b/internal/sdkv2provider/resource_cloudflare_access_group.go
@@ -411,8 +411,7 @@ func TransformAccessGroupForSchema(ctx context.Context, accessGroup []interface{
 	authMethod := ""
 	geos := []string{}
 	loginMethod := []string{}
-	oktaID := ""
-	oktaGroups := []string{}
+	oktaGroups := []map[string]interface{}{}
 	gsuiteID := ""
 	gsuiteEmails := []string{}
 	githubName := ""
@@ -488,8 +487,22 @@ func TransformAccessGroupForSchema(ctx context.Context, accessGroup []interface{
 				}
 			case "okta":
 				oktaCfg := groupValue.(map[string]interface{})
-				oktaID = oktaCfg["identity_provider_id"].(string)
-				oktaGroups = append(oktaGroups, oktaCfg["name"].(string))
+				oktaIdPID := oktaCfg["identity_provider_id"].(string)
+				oktaGroupName := oktaCfg["name"].(string)
+
+				var oktaGroup map[string]interface{}
+				for _, og := range oktaGroups {
+					if og["identity_provider_id"] == oktaIdPID {
+						oktaGroup = og
+						break
+					}
+				}
+
+				if len(oktaGroup) == 0 {
+					oktaGroups = append(oktaGroups, map[string]interface{}{"identity_provider_id": oktaIdPID, "name": []string{oktaGroupName}})
+				} else {
+					oktaGroup["name"] = append(oktaGroup["name"].([]string), oktaGroupName)
+				}
 			case "gsuite":
 				gsuiteCfg := groupValue.(map[string]interface{})
 				gsuiteID = gsuiteCfg["identity_provider_id"].(string)
@@ -605,13 +618,8 @@ func TransformAccessGroupForSchema(ctx context.Context, accessGroup []interface{
 		groupMap["login_method"] = loginMethod
 	}
 
-	if len(oktaGroups) > 0 && oktaID != "" {
-		groupMap["okta"] = []interface{}{
-			map[string]interface{}{
-				"identity_provider_id": oktaID,
-				"name":                 oktaGroups,
-			},
-		}
+	if len(oktaGroups) > 0 {
+		groupMap["okta"] = oktaGroups
 	}
 
 	if len(gsuiteEmails) > 0 && gsuiteID != "" {