okta · janugeethakumari-okta · Nov 14, 2025 · Nov 17, 2025 · Nov 20, 2025 · Nov 21, 2025
@@ -61,6 +61,7 @@ guides:
  - keep-me-signed-in
  - key-management
  - manage-orgs-okta-aerial
+ - terraform-oig-resources
  - mfa
  - migrate-to-okta-prerequisites
  - migrate-to-okta-bulk

@@ -0,0 +1,9 @@
+---
+title: Manage Terraform Okta Identity Governance resources
+meta:
+  - name: description
+    content: Use this guide to manage Okta Identity Governance resources using Terraform.
+layout: Guides
+sections:
+ - main
+---
@@ -0,0 +1,2 @@
+See configurable schema for the [Campaigns resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/campaign#schema). You can use this schema to create and update campaigns using the Terraform `okta_campaign` resource.
+
@@ -0,0 +1,10 @@
+
+```shell
+
+resource "okta_campaign" "example" 
+{
+  name = "example"
+}
+
+```
+
@@ -0,0 +1,8 @@
+
+**Note**: Ensure that you have the campaign ID to import an existing campaign object into Terraform. You can retrieve this ID in either the Admin Console or using the [Campaigns API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Campaigns/).
+
+```shell
+
+terraform import okta_campaign.example <campaign_id>
+
+```
@@ -0,0 +1 @@
+Okta Access Certification Campaigns is a core Okta Identity Governance feature that allows stakeholders to conduct scheduled reviews of user access to apps and resources. Based on the reviews, Okta can then modify resource access so that the users are provided with only have the access they need. See [Campaigns](https://help.okta.com/okta_help.htm?type=oie&id=campaigns.htm) and [Campaigns API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Campaigns/).
-Okta Access Certification Campaigns is a core Okta Identity Governance feature that allows stakeholders to conduct scheduled reviews of user access to apps and resources. Based on the reviews, Okta can then modify resource access so that the users are provided with only have the access they need. See [Campaigns](https://help.okta.com/okta_help.htm?type=oie&id=campaigns.htm) and [Campaigns API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Campaigns/).
+Okta Access Certification Campaigns is a core Okta Identity Governance feature that allows stakeholders to conduct scheduled reviews of user access to resources, such as apps and groups. See [Campaigns](https://help.okta.com/okta_help.htm?type=oie&id=<NEED campaign alias>) in the product documentation and the [Campaigns](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Campaigns/) API.
-Okta Access Certification Campaigns is a core Okta Identity Governance feature that allows stakeholders to conduct scheduled reviews of user access to apps and resources. Based on the reviews, Okta can then modify resource access so that the users are provided with only have the access they need. See [Campaigns](https://help.okta.com/okta_help.htm?type=oie&id=campaigns.htm) and [Campaigns API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Campaigns/).
+Okta Access Certification Campaigns is a core Okta Identity Governance feature that allows stakeholders to conduct scheduled reviews of user access to resources, such as apps and groups. See [Campaigns](https://help.okta.com/okta_help.htm?type=oie&id=<NEED campaign alias>) in the product documentation and the [Campaigns](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Campaigns/) API.
@@ -0,0 +1 @@
+Campaigns
@@ -0,0 +1,8 @@
+
+```bash
+
+data "okta_campaign" "test" 
+{
+  id = "<campaign id>"
+}
+```
@@ -0,0 +1,3 @@
+- okta.governance.accessCertifications.manage
+- okta.governance.accessCertifications.read
+
@@ -0,0 +1,2 @@
+See configurable schema for the [Entitlement bundles resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/entitlement_bundle#schema). You can use this schema to create and update campaigns using the Terraform `okta_entitlement_bundle` resource.
+
@@ -0,0 +1,9 @@
+
+
+```shell
+resource "okta_entitlement_bundle" "example" 
+{
+  name = "example"
+}
+
+```
@@ -0,0 +1,10 @@
+
+
+
+**Note**: Ensure that you have the entitlement bundle ID to import an existing entitlement bundle object into Terraform. You can retrieve this ID in either the Admin Console or using the [Entitlement Bundles API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlement-Bundles/).
+
+
+```shell
+terraform import okta_entitlement_bundle.example <entitlement_bundle_id>
+```
+
@@ -0,0 +1,2 @@
+Entitlement bundles allow you to grant multiple entitlements simultaneously to your users. Use Access Requests to allow your users to request entitlement bundles in a self-service manner.
+For more information, see [Entitlement bundles](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlement-bundles.htm) and [Entitlement Bundles API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlement-Bundles/).
@@ -0,0 +1 @@
+Entitlement Bundles
@@ -0,0 +1,11 @@
+
+```bash
+
+data "okta_entitlement"  test {
+  id="enb11ndt4yZ27Rp4z1d7"
+}
+output "test" {
+  value = data.okta_entitlement.test
+
+}
+```
@@ -0,0 +1,2 @@
+- okta.governance.entitlements.manage
+- okta.governance.entitlements.read
@@ -0,0 +1 @@
+See configurable schema for the [Entitlement resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/entitlement#schema). You can use this schema to create and update campaigns using the Terraform `okta_entitlement` resource.
@@ -0,0 +1,8 @@
+
+
+```shell
+resource "okta_entitlement" "example" 
+{
+  name = "example"
+}
+```
@@ -0,0 +1,10 @@
+
+
+
+**Note**: Ensure that you have the entitlement ID to import an existing entitlement object into Terraform. You can retrieve this ID in either the Admin Console or using the [Entitlement API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlements/).
+
+
+```shell
+terraform import okta_entitlement.example <entitlement_id>
+```
+
@@ -0,0 +1,2 @@
+Entitlement Management lets you ensure that users in your org have the right permissions for each resource. An entitlement is a permission, privilege, or access level that allows users to take specific actions within a third-party app.
+For more information, see [Entitlement](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlements.htm) and [Entitlement API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlements/).
@@ -0,0 +1 @@
+Entitlements
@@ -0,0 +1,8 @@
+
+```bash
+
+data "okta_entitlement" "test" 
+{
+  id = "<entitlement id>"
+}
+```
@@ -0,0 +1,3 @@
+- okta.governance.entitlements.manage
+- okta.governance.entitlements.read
+
@@ -0,0 +1,126 @@
+---
+title: Manage Okta Identity Governance resources using Terraform
+meta:
+  - name: description
+    content: Learn how to create, import, and modify Okta Identity Governance resources using Terraform automation.
+layout: Guides
+---
+Learn how to create, import, and modify Okta Identity Governance resources using Terraform automation.
+
+#### Learning outcomes
+
+- Define and create an <StackSnippet snippet="resource-name" inline/> resource using Terraform.
+- Modify an existing <StackSnippet snippet="resource-name" inline/> resource managed by Terraform.
+- Import <StackSnippet snippet="resource-name" inline/> resource from Okta into your Terraform state.
+
+#### What you need
+- Familiarity with the Terraform terms, such as configuration, resources, state, and commands.
+- An Okta org with the OIG SKU enabled.
+- A Terraform configuration that can access your Okta org. See [Okta provider configuration](#okta-provider-configuration).
+- An Okta user account with the super administrator role.
+- Terraform 1.8.5 or later.
+- Okta Terraform provider 6.0.0 or later.
+
+> **Note:** The instructions on this page are for the **<StackSnippet snippet="resource-name" inline/>** protocol. <br>
-> **Note:** The instructions on this page are for the **<StackSnippet snippet="resource-name" inline/>** protocol. <br>
+> **Note:** The instructions on this page are for the **<StackSnippet snippet="resource-name" inline/>** resource. <br>
-> **Note:** The instructions on this page are for the **<StackSnippet snippet="resource-name" inline/>** protocol. <br>
+> **Note:** The instructions on this page are for the **<StackSnippet snippet="resource-name" inline/>** resource. <br>
+> If you want to change the protocol instructions on this page, select the protocol you want from the **Instructions for** dropdown list on the right.
-> If you want to change the protocol instructions on this page, select the protocol you want from the **Instructions for** dropdown list on the right.
+> If you want to change the resource instructions on this page, select the resource you want from the **Instructions for** dropdown list on the right.
-> If you want to change the protocol instructions on this page, select the protocol you want from the **Instructions for** dropdown list on the right.
+> If you want to change the resource instructions on this page, select the resource you want from the **Instructions for** dropdown list on the right.
+
+### Overview
+
+<StackSnippet snippet="overview" inline/>
+
+### Set up your Terraform files
+
+For guidance on organizing your files, see [setting up a typical Okta Terraform configuration](/docs/guides/terraform-organize-configuration/main/#configure-a-basic-okta-terraform-configuration). Consider organizing your Terraform code in a way that groups related resources together. For example, you could create a Terraform file called `brands.tf` that contains custom domains, brands, and themes.
-For guidance on organizing your files, see [setting up a typical Okta Terraform configuration](/docs/guides/terraform-organize-configuration/main/#configure-a-basic-okta-terraform-configuration). Consider organizing your Terraform code in a way that groups related resources together. For example, you could create a Terraform file called `brands.tf` that contains custom domains, brands, and themes.
+For guidance on organizing your files, see [setting up a typical Okta Terraform configuration](/docs/guides/terraform-organize-configuration/main/#configure-a-basic-okta-terraform-configuration). Consider organizing your Terraform code in a way that groups related resources together. For example, you could create a Terraform file called `apps.tf` that contains apps, app entitlements, and entitlement bundles.
-For guidance on organizing your files, see [setting up a typical Okta Terraform configuration](/docs/guides/terraform-organize-configuration/main/#configure-a-basic-okta-terraform-configuration). Consider organizing your Terraform code in a way that groups related resources together. For example, you could create a Terraform file called `brands.tf` that contains custom domains, brands, and themes.
+For guidance on organizing your files, see [setting up a typical Okta Terraform configuration](/docs/guides/terraform-organize-configuration/main/#configure-a-basic-okta-terraform-configuration). Consider organizing your Terraform code in a way that groups related resources together. For example, you could create a Terraform file called `apps.tf` that contains apps, app entitlements, and entitlement bundles.
+
+#### Add or confirm the API scopes
+
+Your Terraform integration requires the appropriate scopes that depend on what you're managing:
-Your Terraform integration requires the appropriate scopes that depend on what you're managing:
+Your Terraform integration requires the appropriate scopes that depend on what you're managing. The following are the scopes required for <resource snippet name>:
-Your Terraform integration requires the appropriate scopes that depend on what you're managing:
+Your Terraform integration requires the appropriate scopes that depend on what you're managing. The following are the scopes required for <resource snippet name>:
+
+<StackSnippet snippet="scope"/></br>
+
+To grant scopes in the Admin Console and to include them in your Terraform code, see the guides on [enabling your API service app for Terraform access](/docs/guides/terraform-enable-org-access/) and [setting up a typical Okta Terraform configuration](/docs/guides/terraform-organize-configuration/).
+
+### Okta provider configuration
+
+Configure the Okta Terraform provider in your Terraform configuration files. This configuration involves setting up credentials (for example, API token) with relevant permissions to manage entitlements within your Okta org.
+
+```bash
+
+    terraform {
+      required_providers {
+        okta = {
+          source  = "okta/okta"
+          version = ">= 6.0.0"
+      }
+    }
+    provider "okta" {
+      org_name  = var.okta_org_name
+      api_token = var.okta_api_token
+    }
+    variable "okta_org_name" {
+      description = "Your Okta org name (e.g., 'trial-12345678.okta.com')."
+      type        = string
+      sensitive   = true
+    }
+    variable "okta_api_token" {
+      description = "Your Okta API token with relevant permissions."
+      type        = string
+      sensitive   = true
+    }
+```
+
+#### Configure Identity Governance on your Okta org
+Before creating an entitlement, you must enable Identity Governance on the app in your Okta org.
+1. In the Admin Console, go to your OIDC web app.
+1. In the **General** tab, locate Identity Governance and select **Edit**.
+1. Select **Enable** from the **Governance Engine** dropdown menu.
+1. Select **Save**.
+
+> **Note:** The instructions on this page are for the **<StackSnippet snippet="resource-name" inline/>** protocol. <br>
+> If you want to change the protocol instructions on this page, select the protocol you want from the **Instructions for** dropdown list on the right.
+
+### Resource arguments
+
+<StackSnippet snippet="arguments" inline/>
+
+### Create a <StackSnippet snippet="resource-name" inline/> resource
+
+1. Create a resource block in your Terraform configuration file. For example, this sample defines an access review <StackSnippet snippet="resource-name" inline/> for a specific app.
-1. Create a resource block in your Terraform configuration file. For example, this sample defines an access review <StackSnippet snippet="resource-name" inline/> for a specific app.
+1. Create a resource block in your Terraform configuration file. For example, this sample defines a/an <StackSnippet snippet="resource-name" inline/> block.
-1. Create a resource block in your Terraform configuration file. For example, this sample defines an access review <StackSnippet snippet="resource-name" inline/> for a specific app.
+1. Create a resource block in your Terraform configuration file. For example, this sample defines a/an <StackSnippet snippet="resource-name" inline/> block.
+
+<StackSnippet snippet="create" inline/>
+
+2. Run the ` terraform plan` command. The output of the command provides a preview of the changes Terraform makes to your infrastructure.
+
+3. Run the `terraform apply` command. This command provisions the entitlement resource.
+
+> **Note**: To apply only a new resource, run a targeted apply command. For example, `terraform apply -target <resource_name>`
+
+4. Type `yes` when prompted to complete the resource creation.
+
+
+#### Import existing objects to Terraform
+
+You can import existing <StackSnippet snippet="resource-name" inline/> objects to Terraform using the import function. For more information on importing objects into Terraform, see [Import existing Okta objects into Terraform](docs/guides/terraform-import-existing-resources/main/).
+
+**Note**: Ensure that you have the <StackSnippet snippet="resource-name" inline/> ID that you want to import.
+
+
+1. Create a resource block to host the object you’re importing. The configuration must match the object in Okta.
+
+2. Run the following command to import your existing <StackSnippet snippet="resource-name" inline/> object into your Terraform state.
+
+<StackSnippet snippet="import" inline/>
+
+3. Save the file, run `terraform plan`, and then run `terraform apply`.
+4. Verify that the `terraform.tfstate` file is created on your Terraform working directory. This ensures that the Terraform resource creation was completed successfully. This file records the mapping between the resources defined in your configuration files and the objects in your Okta org.
+
+#### Retrieve existing <StackSnippet snippet="resource-name" inline/>
+
+To view a <StackSnippet snippet="resource-name" inline/>  that is already managed by Terraform, or any <StackSnippet snippet="resource-name" inline/>  in your org, you can use a data source.
+
+<StackSnippet snippet="retrieve" inline/>
+
+#### Modify existing <StackSnippet snippet="resource-name" inline/>
+
+To modify a <StackSnippet snippet="resource-name" inline/>  that is already managed by Terraform, update the code in your configuration file. Terraform detects the change and applies it on the next run.
+Save the file, run `terraform plan`, and then run `terraform apply` to apply the change to your <StackSnippet snippet="resource-name" inline/> in Okta.
@@ -0,0 +1 @@
+See configurable schema for the [Request Conditions resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/request_condition#schema). You can use this schema to create and update campaigns using the Terraform `okta_request_condition` resource.
@@ -0,0 +1,13 @@
+``` bash
+resource "okta_request_condition" "example" {
+  resource_id="<resource_id>"
+  approval_sequence_id="<approval_sequence_id>"
+  name="<name>"
+  access_scope_settings{
+    type="RESOURCE_DEFAULT"
+  }
+  requester_settings{
+    type="EVERYONE"
+  }
+}
+``` 
@@ -0,0 +1,6 @@
+
+**Note**: Ensure that you have the resource ID and request condition ID to import an existing request condition object into Terraform. You can retrieve this ID in either the Admin Console or using the [Request Conditions API](https://developer.okta.com/docs/api/iga/openapi/governance.requests.admin.v2/tag/Request-Conditions/#tag/Request-Conditions/operation/getResourceRequestConditionV2).
+
+``` bash
+terraform import okta_request_condition.example <resource_id>/<request_condition_id>
+```
@@ -0,0 +1 @@
+Request conditions define what resources and access levels requesters can request from their resource catalog. See [Request Conditions](https://help.okta.com/oie/en-us/content/topics/identity-governance/access-requests/rcar-conditions.htm) and [Request Conditions API](https://developer.okta.com/docs/api/iga/openapi/governance.requests.admin.v2/tag/Request-Conditions/#tag/Request-Conditions/operation/getResourceRequestConditionV2).
@@ -0,0 +1 @@
+Request Conditions
@@ -0,0 +1,7 @@
+``` bash
+data "okta_request_condition" "test" 
+{
+  id ="<request_condition_id>"
+  resource_id="<resource_id>"
+}
+```
@@ -0,0 +1,2 @@
+* okta.accessRequests.condition.read
+* okta.accessRequests.condition.manage
@@ -0,0 +1 @@
+See configurable schema for the [Request Sequences resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/request_sequence#schema). You can use this schema to create and update campaigns using the Terraform `okta_request_sequence` resource.
@@ -0,0 +1,7 @@
+``` bash
+resource "okta_request_sequence" "test"
+{
+  id= "<sequence_id>"
+  resource_id= "<resource_id>"
+}
+```
@@ -0,0 +1,7 @@
+
+**Note**: Ensure that you have the resource ID and request sequence ID to import an existing request sequence object into Terraform. You can retrieve this ID in either the Admin Console or using the [Request Sequences API](https://developer.okta.com/docs/api/iga/openapi/governance.requests.admin.v2/tag/Request-Sequences/).
+
+``` bash
+terraform import okta_request_condition.example <resource_id>/<request_sequence_id>
+```
+
@@ -0,0 +1,2 @@
+Request sequences define a series of steps (questions, approval tasks, and custom tasks) that must be completed for a requester to gain access.
+Request sequences can be re-used across many request conditions. See [Request Sequences](https://help.okta.com/oie/en-us/content/topics/identity-governance/access-requests/rcar-approval-seq-edit.htm) and [Request Sequences API](https://developer.okta.com/docs/api/iga/openapi/governance.requests.admin.v2/tag/Request-Sequences/).
@@ -0,0 +1 @@
+Request Sequences
@@ -0,0 +1,7 @@
+``` bash
+data "okta_request_sequence" "test" 
+{
+  id="<sequence_id>"
+  resource_id="<resource_id>"
+}
+```
@@ -0,0 +1,2 @@
+* okta.accessRequests.condition.read
+* okta.accessRequests.condition.manage
@@ -0,0 +1 @@
+See configurable schema for the [Request Settings resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/request_setting_resource#schema). You can use this schema to create and update campaigns using the Terraform `okta_request_setting` resource.
@@ -0,0 +1,18 @@
+``` bash
+resource "okta_request_setting_resource" "test"
+{
+  resource_id="<resource_id>"
+  risk_settings
+  {
+    default_setting
+    {
+      request_submission_type= "ALLOWED_WITH_OVERRIDES"
+      approval_sequence_id="<approval_sequence_id>"
+    }
+  }
+  request_on_behalf_of_settings
+  {
+    allowed = true
+  }
+}
+```
@@ -0,0 +1,6 @@
+
+**Note**: Ensure that you have the resource ID to import an existing request setting object into Terraform. You can retrieve this ID in either the Admin Console or using the [Request Settings API](https://developer.okta.com/docs/api/iga/openapi/governance.requests.admin.v2/tag/Request-Settings/).
+
+``` bash
+terraform import okta_request_setting_resource.example "<resource_id>"
+```
@@ -0,0 +1 @@
+Request settings are useful for managing your org's access requests. Request settings can be read and updated at the org and resource level. For more infomration see [Access requests - Get started](https://help.okta.com/oie/en-us/content/topics/identity-governance/access-requests/ar-get-started.htm) and [Request Settings API](https://developer.okta.com/docs/api/iga/openapi/governance.requests.admin.v2/tag/Request-Settings/).
@@ -0,0 +1 @@
+Request Settings
@@ -0,0 +1,6 @@
+``` bash
+data "okta_request_setting_resource" "test" 
+{
+  resource_id="<id>"
+}
+```
@@ -0,0 +1,2 @@
+* okta.accessRequests.condition.read
+* okta.accessRequests.condition.manage
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		See configurable schema for the [Campaigns resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/campaign#schema). You can use this schema to create and update campaigns using the Terraform `okta_campaign` resource.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Campaigns
Copy link Contributor vanngo-okta Dec 5, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. The object is called "campaign", but if you're talking about the API resource name, it's usually plural, so "Campaigns API". This snippet might not work for all cases in your doc.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		- okta.governance.accessCertifications.manage
		- okta.governance.accessCertifications.read
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		See configurable schema for the [Entitlement bundles resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/entitlement_bundle#schema). You can use this schema to create and update campaigns using the Terraform `okta_entitlement_bundle` resource.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Entitlement bundles allow you to grant multiple entitlements simultaneously to your users. Use Access Requests to allow your users to request entitlement bundles in a self-service manner.
		For more information, see [Entitlement bundles](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlement-bundles.htm) and [Entitlement Bundles API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlement-Bundles/).
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- okta.governance.entitlements.manage
		- okta.governance.entitlements.read
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Entitlement Management lets you ensure that users in your org have the right permissions for each resource. An entitlement is a permission, privilege, or access level that allows users to take specific actions within a third-party app.
		For more information, see [Entitlement](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlements.htm) and [Entitlement API](https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlements/).
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		See configurable schema for the [Request Conditions resource](https://registry.terraform.io/providers/okta/okta/latest/docs/resources/request_condition#schema). You can use this schema to create and update campaigns using the Terraform `okta_request_condition` resource.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Request conditions define what resources and access levels requesters can request from their resource catalog. See [Request Conditions](https://help.okta.com/oie/en-us/content/topics/identity-governance/access-requests/rcar-conditions.htm) and [Request Conditions API](https://developer.okta.com/docs/api/iga/openapi/governance.requests.admin.v2/tag/Request-Conditions/#tag/Request-Conditions/operation/getResourceRequestConditionV2).
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		* okta.accessRequests.condition.read
		* okta.accessRequests.condition.manage