Configuration Automation - Terraform

Configuring the PingOne Self Service application

The following shows an example of how to configure the PingOne Self Service system application.

You can configure the PingOne Self Service application in the PingOne admin console. It’s a web application, and its capabilities are configured by assigning resource scopes to the application, rather than through a dedicated API or Terraform resource.

First, you’ll need to ensure that the Self Service application itself is configured using the pingone_system_application resource.

resource "pingone_system_application" "pingone_self_service" {
  environment_id = pingone_environment.my_environment.id

  type    = "PING_ONE_SELF_SERVICE"
  enabled = true

  apply_default_theme         = true
  enable_default_theme_footer = true
}

You’ll then select which self-service capabilities (the scopes) you want to apply to the Self Service application. The simplest way is to create a list and select the appropriate scope data using the pingone_resource_scope data source.

locals {
  pingone_api_scopes = [
    # Manage Profile
    "p1:read:user",
    "p1:update:user",

    # Manage Authentication
    "p1:create:device",
    "p1:create:pairingKey",
    "p1:delete:device",
    "p1:read:device",
    "p1:read:pairingKey",
    "p1:update:device",

    # Enable or Disable MFA
    "p1:update:userMfaEnabled",

    # Change Password
    "p1:read:userPassword",
    "p1:reset:userPassword",
    "p1:validate:userPassword",

    # Manage Linked Accounts
    "p1:delete:userLinkedAccounts",
    "p1:read:userLinkedAccounts",

    # Manage Sessions
    "p1:delete:sessions",
    "p1:read:sessions",

    # View Agreements
    "p1:read:userConsent",

    # Manage OAuth Consents
    "p1:read:oauthConsent",
    "p1:update:oauthConsent",
  ]
}

data "pingone_resource_scope" "pingone_api" {
  for_each = toset(local.pingone_api_scopes)

  environment_id = pingone_environment.my_environment.id
  resource_type  = "PINGONE_API"

  name = each.key
}

Next, you’ll map the appropriate scopes to enable the specific self-service features you want using the pingone_application_resource_grant resource.

resource "pingone_application_resource_grant" "my_awesome_spa_pingone_api_resource_grants" {
  environment_id = pingone_environment.my_environment.id
  application_id = pingone_system_application.pingone_self_service.id

  resource_type = "PINGONE_API"

  scopes = [
    for scope in data.pingone_resource_scope.pingone_api : scope.id
  ]
}

The Self Service application is now configured with the required capabilities.

You can find the full runable example on GitHub.