This module allows us to setup Retool from scratch. It uses the helm chart provided by the Retool team.
- Hosted-Zone Sub-domain or Delegated Sub-Domain is required by the module. The k8s annotations use this DNS name and the External-DNS service which is also a pre-requisite for this module will create an A record in the specific hosted zone.
- An EKS Cluster with ALB Controller and External DNS with IRSA needs to be created. We have a Terraform module (yet to be open-sourced) that simplifies this process. This module takes a hosted zone ID as input.
- RDS Cluster with a database endpoint and a database named
retoolcreated. Also, the secrets ARN for the database is required with the DATABASE_USERNAME and DATABASE_PASSWORD key-value pairs.
Retool supports SAML with SCIM and OpenID Connect with generic OpenID providers. We recommend OpenID Connect as it allows endpoints to sit behind a firewall/VPN and still have the advantage of Sync'ing okta groups.
Steps to integrate with Okta OpenID Connect are here.
One piece that the document doesn't cover which is needed is that after the OpenID connect Retool Integration is created, we need to do the following:
- Click on to
Sign Ontab on the Retool App - Find the section
OpenID Connect ID Token, andEdit - Set
Groups claim typetoFilterfrom the drop-down list - Set
Groups claim filtertogroupsselectMatches regexfrom adjacent drop-down list and set regex toretool-.* - It would be best to use the same filter here in point 7. but instead of
Starts Withwe can useMatches regexand set the regex toretool-.*
This is based on this okta doc.
NOTE: This TF module was created by Prasanth Kommini.