Created by Regin Villamor, last modified by Aleksandr Kanaev on Nov 28, 2022

Okta is OIDC provider used for authorise and authenticate on different services on a project.
List of services connected to Okta:

  • Grafana

  • Vault

  • ArgoCD

  • Cloudflare

  • Iam-manager

  • BOFE

  • Genesys (SSO)

  • To be added

We use terraform to create users, groups and attach users to created groups.

In order to create user you need to specify his first and last name, email and group in yaml file. After user will get email with link to register account.
Be aware that user can’t be created without assigning to group. For now, there are 3 main parent groups:

  • DevOps

  • Developers

  • Meiro

Basic integration with application

On example of ArgoCD application.

locals {
  argocd_admin_groups = [
    "DevOps"
  ]
  argocd_viewer_groups = [
    "Developers"
  ]
  argocd_label  = "argocd"
  argocd_domain = "argocd.safibank.online"
}

data "vault_generic_secret" "okta" {
  path = "secret/dev/okta/api_token"
}

data "okta_group" "source_okta_argocd_admin_group" {
  for_each = toset(local.argocd_admin_groups)
  name     = each.value
}

data "okta_group" "source_okta_argocd_viewer_group" {
  for_each = toset(local.argocd_viewer_groups)
  name     = each.value
}

resource "okta_app_oauth" "argocd" {
  label                     = local.argocd_label
  type                      = "web"
  grant_types               = ["authorization_code"]
  login_uri                 = "https://${local.argocd_domain}/okta"
  post_logout_redirect_uris = ["https://${local.argocd_domain}/applications"]
  redirect_uris             = ["https://${local.argocd_domain}/auth/callback"]
  response_types            = ["code"]
  skip_groups               = true

  groups_claim {
    type        = "FILTER"
    filter_type = "REGEX"
    name        = "groups"
    value       = "${local.argocd_label}.*"
  }
}

resource "okta_group" "argocd_admin" {
  name        = "${local.argocd_label}-admin"
  description = "Group of users with admin permissions to the Argocd"
  skip_users  = true
}

resource "okta_group" "argocd_viewer" {
  name        = "${local.argocd_label}-viewer"
  description = "Group of users with read permissons to the Argocd"
  skip_users  = true
}

resource "okta_app_group_assignments" "argocd_assignments" {
  app_id = okta_app_oauth.argocd.id
  group {
    id       = okta_group.argocd_admin.id
    priority = 1
  }
  group {
    id       = okta_group.argocd_viewer.id
    priority = 2
  }
}

resource "okta_group_rule" "argocd_admin_group_rule" {
  for_each          = toset(local.argocd_admin_groups)
  name              = "argocd_admin_${index(local.argocd_admin_groups, each.key)}"
  expression_value  = "isMemberOfGroup(\"${data.okta_group.source_okta_argocd_admin_group[each.key].id}\")"
  group_assignments = [okta_group.argocd_admin.id]
  status            = "ACTIVE"
}

resource "okta_group_rule" "argocd_viewer_group_rule" {
  for_each          = toset(local.argocd_viewer_groups)
  name              = "argocd_viewer_${index(local.argocd_viewer_groups, each.key)}"
  expression_value  = "isMemberOfGroup(\"${data.okta_group.source_okta_argocd_viewer_group[each.key].id}\")"
  group_assignments = [okta_group.argocd_viewer.id]
  status            = "ACTIVE"
}

We create OAuth app in Okta for ArgoCD. We create two groups argocd-admin and argocd-viewer that will match groups created on ArgoCD side. And create group rules that will assign members of DevOps group to argocd-admin and members of Developers to argocd-viewer.