Okta is OIDC provider used for authorise and authenticate on different services on a project.
List of services connected to Okta:
Grafana
Vault
ArgoCD
Cloudflare
Iam-manager
BOFE
Genesys (SSO)
To be added
We use terraform to create users, groups and attach users to created groups.
In order to create user you need to specify his first and last name, email and group in yaml file. After user will get email with link to register account.
Be aware that user can’t be created without assigning to group. For now, there are 3 main parent groups:
DevOps
Developers
Meiro
Basic integration with application
On example of ArgoCD application.
locals { argocd_admin_groups = [ "DevOps" ] argocd_viewer_groups = [ "Developers" ] argocd_label = "argocd" argocd_domain = "argocd.safibank.online" } data "vault_generic_secret" "okta" { path = "secret/dev/okta/api_token" } data "okta_group" "source_okta_argocd_admin_group" { for_each = toset(local.argocd_admin_groups) name = each.value } data "okta_group" "source_okta_argocd_viewer_group" { for_each = toset(local.argocd_viewer_groups) name = each.value } resource "okta_app_oauth" "argocd" { label = local.argocd_label type = "web" grant_types = ["authorization_code"] login_uri = "https://${local.argocd_domain}/okta" post_logout_redirect_uris = ["https://${local.argocd_domain}/applications"] redirect_uris = ["https://${local.argocd_domain}/auth/callback"] response_types = ["code"] skip_groups = true groups_claim { type = "FILTER" filter_type = "REGEX" name = "groups" value = "${local.argocd_label}.*" } } resource "okta_group" "argocd_admin" { name = "${local.argocd_label}-admin" description = "Group of users with admin permissions to the Argocd" skip_users = true } resource "okta_group" "argocd_viewer" { name = "${local.argocd_label}-viewer" description = "Group of users with read permissons to the Argocd" skip_users = true } resource "okta_app_group_assignments" "argocd_assignments" { app_id = okta_app_oauth.argocd.id group { id = okta_group.argocd_admin.id priority = 1 } group { id = okta_group.argocd_viewer.id priority = 2 } } resource "okta_group_rule" "argocd_admin_group_rule" { for_each = toset(local.argocd_admin_groups) name = "argocd_admin_${index(local.argocd_admin_groups, each.key)}" expression_value = "isMemberOfGroup(\"${data.okta_group.source_okta_argocd_admin_group[each.key].id}\")" group_assignments = [okta_group.argocd_admin.id] status = "ACTIVE" } resource "okta_group_rule" "argocd_viewer_group_rule" { for_each = toset(local.argocd_viewer_groups) name = "argocd_viewer_${index(local.argocd_viewer_groups, each.key)}" expression_value = "isMemberOfGroup(\"${data.okta_group.source_okta_argocd_viewer_group[each.key].id}\")" group_assignments = [okta_group.argocd_viewer.id] status = "ACTIVE" }
We create OAuth app in Okta for ArgoCD. We create two groups argocd-admin
and argocd-viewer
that will match groups created on ArgoCD side. And create group rules that will assign members of DevOps
group to argocd-admin
and members of Developers
to argocd-viewer
.