split okta tenant for business and admin work (#24)

abbaspour · web-flow · commit ce24e64ca02d · 2025-10-31T15:31:14.000+11:00
diff --git a/readme.md b/readme.md
@@ -785,18 +785,18 @@ Sample access_token. `org_id` is nullable for donors.
 
 # Screenplays
 
-| No | Screenplay                       | Video                            | Website  | Demo Topic                     |
-|----|----------------------------------|----------------------------------|----------|--------------------------------|
-| 01 | [s-01.txt](./videos/01/s-01.txt) | [s-01.mp4](./videos/01/s-01.mp4) | Donor    | Ideation                       |
-| 02 | [s-02.txt](./videos/02/s-02.txt) | [s-02.mp4](./videos/02/s-02.mp4) | Donor    | Credential login, MyAccount    |
-| 03 | [s-03.txt](./videos/03/s-03.txt) | [s-03.mp4](./videos/03/s-03.mp4) | Donor    | Social login & account linking |
-| 04 | [s-04.txt](./videos/04/s-04.txt) | [s-04.mp4](./videos/04/s-04.mp4) | Business | Credential login & RBAC        |
-| 05 | [s-05.txt](./videos/05/s-05.txt) | [s-05.mp4](./videos/05/s-05.mp4) | Business | Federation and HRD             |
-| 06 | [s-06.txt](./videos/06/s-06.txt) | [s-06.mp4](./videos/06/s-06.mp4) | Business | SS-SSO, SCIM                   |
-| 07 | [s-07.txt](./videos/07/s-07.txt) | [s-07.mp4](./videos/07/s-07.mp4) | Both     | RTL & ACL                      |
-| 08 | [s-08.txt](./videos/08/s-08.txt) | [s-08.mp4](./videos/08/s-08.mp4) | Donor    | Bulk import & Forms            |
-| 09 | [s-09.txt](./videos/09/s-09.txt) | [s-09.mp4](./videos/09/s-09.mp4) | Donor    | MCD                            |
-| 10 | [s-10.txt](./videos/10/s-10.txt) | [s-10.mp4](./videos/10/s-10.mp4) | Donor    | User events                    |
-| 11 | [s-11.txt](./videos/11/s-11.txt) | [s-11.mp4](./videos/11/s-11.mp4) | Business | Connected Account              |
-| 12 | [s-12.txt](./videos/12/s-12.txt) | [s-12.mp4](./videos/12/s-12.mp4) | Business | CIBA                           |
-| 13 | [s-13.txt](./videos/13/s-13.txt) | [s-13.mp4](./videos/13/s-13.mp4) | Both     | Closing thoughts               |
+| No | Screenplay                       | Video                            | Website  | Demo Topic                        |
+|----|----------------------------------|----------------------------------|----------|-----------------------------------|
+| 01 | [s-01.txt](./videos/01/s-01.txt) | [s-01.mp4](./videos/01/s-01.mp4) | Donor    | Ideation                          |
+| 02 | [s-02.txt](./videos/02/s-02.txt) | [s-02.mp4](./videos/02/s-02.mp4) | Donor    | Credential login, MyAccount       |
+| 03 | [s-03.txt](./videos/03/s-03.txt) | [s-03.mp4](./videos/03/s-03.mp4) | Donor    | Social login & account linking    |
+| 04 | [s-04.txt](./videos/04/s-04.txt) | [s-04.mp4](./videos/04/s-04.mp4) | Business | Credential login & RBAC & Chiclet |
+| 05 | [s-05.txt](./videos/05/s-05.txt) | [s-05.mp4](./videos/05/s-05.mp4) | Business | Federation and HRD                |
+| 06 | [s-06.txt](./videos/06/s-06.txt) | [s-06.mp4](./videos/06/s-06.mp4) | Business | SS-SSO, SCIM                      |
+| 07 | [s-07.txt](./videos/07/s-07.txt) | [s-07.mp4](./videos/07/s-07.mp4) | Both     | RTL & ACL                         |
+| 08 | [s-08.txt](./videos/08/s-08.txt) | [s-08.mp4](./videos/08/s-08.mp4) | Donor    | Bulk import & Forms               |
+| 09 | [s-09.txt](./videos/09/s-09.txt) | [s-09.mp4](./videos/09/s-09.mp4) | Donor    | MCD                               |
+| 10 | [s-10.txt](./videos/10/s-10.txt) | [s-10.mp4](./videos/10/s-10.mp4) | Donor    | User events                       |
+| 11 | [s-11.txt](./videos/11/s-11.txt) | [s-11.mp4](./videos/11/s-11.mp4) | Business | Connected Account                 |
+| 12 | [s-12.txt](./videos/12/s-12.txt) | [s-12.mp4](./videos/12/s-12.mp4) | Business | CIBA                              |
+| 13 | [s-13.txt](./videos/13/s-13.txt) | [s-13.mp4](./videos/13/s-13.mp4) | Both     | Closing thoughts                  |
diff --git a/tf/05-orgs-federate.tf b/tf/05-orgs-federate.tf
@@ -1,10 +1,12 @@
 ## -- Okta --
 resource "okta_app_signon_policy" "only_1fa" {
+  provider = okta.business
   name        = "Replate Org 1FA policy"
   description = "Authentication Policy to be used simple apps."
 }
 
 resource "okta_app_signon_policy_rule" "only_1fa_rule" {
+  provider = okta.business
   policy_id                   = okta_app_signon_policy.only_1fa.id
   name                        = "Password only"
   factor_mode                 = "1FA"
@@ -23,12 +25,14 @@ resource "okta_app_signon_policy_rule" "only_1fa_rule" {
 # Okta Group for Federated Supplier employees
 # VISIT https://amin-admin.okta.com/admin/group/00g7583ngaQ9Nurc33l7
 resource "okta_group" "supplier_workforce" {
+  provider = okta.business
   name        = "Supplier Workforce"
   description = "Group for all Supplier workforce employees"
 }
 
 # RWA Application for Auth0 integration
 resource "okta_app_oauth" "replate-rwa" {
+  provider = okta.business
   label                      = "Replate Business Federation"
   type                       = "web"
   grant_types                = ["authorization_code"]
@@ -46,6 +50,7 @@ resource "okta_app_oauth" "replate-rwa" {
 }
 
 resource "okta_app_group_assignments" "replate-rwa-group-assignment" {
+  provider = okta.business
   app_id = okta_app_oauth.replate-rwa.id
   group {
     id = okta_group.supplier_workforce.id
@@ -54,6 +59,7 @@ resource "okta_app_group_assignments" "replate-rwa-group-assignment" {
 
 # Sample users for the workforce group
 resource "okta_user" "supplier-io_admin" {
+  provider = okta.business
   first_name = "Adam"
   last_name  = "Supplier"
   login      = "admin@supplier.io"
@@ -63,6 +69,7 @@ resource "okta_user" "supplier-io_admin" {
 }
 
 resource "okta_user" "supplier-io_member" {
+  provider = okta.business
   first_name = "Maria"
   last_name  = "Supplier"
   login      = "member@supplier.io"
@@ -74,6 +81,7 @@ resource "okta_user" "supplier-io_member" {
 
 # Assign users to the workforce group
 resource "okta_group_memberships" "supplier-io_members" {
+  provider = okta.business
   group_id = okta_group.supplier_workforce.id
   users = [
     okta_user.supplier-io_admin.id,
diff --git a/tf/admin.tf b/tf/admin.tf
@@ -94,7 +94,7 @@ resource "auth0_connection" "replate_workforce" {
   options {
     client_id     = okta_app_oauth.auth0_rwa.client_id
     client_secret = okta_app_oauth.auth0_rwa.client_secret
-    domain        = "${var.okta_org_name}.${var.okta_base_url}"
+    domain        = "${var.okta_admin_org_name}.${var.okta_admin_base_url}"
 
     # OIDC configuration
     #discovery_url = "https://${var.okta_org_name}.${var.okta_base_url}/.well-known/openid-configuration"
diff --git a/tf/providers.tf b/tf/providers.tf
@@ -36,5 +36,13 @@ provider "okta" {
   org_name    = var.okta_org_name
   base_url    = var.okta_base_url
   api_token = var.okta_tf_api_token
+  alias = "business"
+}
+
+provider "okta" {
+  org_name    = var.okta_admin_org_name
+  base_url    = var.okta_admin_base_url
+  api_token = var.okta_admin_tf_api_token
+  alias = "admin"
 }
 
diff --git a/tf/replate-workforce.tf b/tf/replate-workforce.tf
@@ -1,11 +1,13 @@
 # Okta Group for Replate Workforce employees
 resource "okta_group" "replate_workforce" {
+  provider = okta.admin
   name        = "Replate Workforce"
   description = "Group for all Replate workforce employees"
 }
 
 # RWA Application for Auth0 integration
 resource "okta_app_oauth" "auth0_rwa" {
+  provider = okta.admin
   label                      = "Auth0 Workforce Federation"
   type                       = "web"
   grant_types                = ["authorization_code"]
@@ -24,6 +26,7 @@ resource "okta_app_oauth" "auth0_rwa" {
 }
 
 resource "okta_app_group_assignments" "auth0-rwa-group-assignment" {
+  provider = okta.admin
   app_id = okta_app_oauth.auth0_rwa.id
   group {
     id = okta_group.replate_workforce.id
@@ -32,6 +35,7 @@ resource "okta_app_group_assignments" "auth0-rwa-group-assignment" {
 
 # Sample users for the workforce group
 resource "okta_user" "workforce_user1" {
+  provider = okta.admin
   first_name = "John"
   last_name  = "Smith"
   login      = "john.smith@replate.dev"
@@ -41,6 +45,7 @@ resource "okta_user" "workforce_user1" {
 }
 
 resource "okta_user" "workforce_user2" {
+  provider = okta.admin
   first_name = "Jane"
   last_name  = "Doe"  
   login      = "jane.doe@replate.dev"
@@ -50,6 +55,7 @@ resource "okta_user" "workforce_user2" {
 }
 # Assign users to the workforce group
 resource "okta_group_memberships" "replate_workforce_members" {
+  provider = okta.admin
   group_id = okta_group.replate_workforce.id
   users = [
     okta_user.workforce_user1.id,
diff --git a/tf/variables.tf b/tf/variables.tf
@@ -57,7 +57,7 @@ variable "cloudflare_d1_db_name" {
   default     = "replate-crm"
 }
 
-## okta
+## okta (for replate customers)
 variable "okta_org_name" {
   type        = string
   description = "Okta org name"
@@ -81,6 +81,23 @@ variable "okta_base_url" {
   default = "okta.com"
 }
 
+## Okta admin (for replate workforce team)
+variable "okta_admin_org_name" {
+  type        = string
+  description = "Okta admin org name"
+}
+
+variable "okta_admin_tf_api_token" {
+  type        = string
+  description = "Okta Admin Terraform API token"
+  sensitive = true
+}
+
+variable "okta_admin_base_url" {
+  type = string
+  default = "okta.com"
+}
+
 ## LinkedIn Social
 variable "linkedin_client_id" {
   type = string
