Added Authentik TF code
All checks were successful
Check with kubeconform / lint (push) Successful in 12s
All checks were successful
Check with kubeconform / lint (push) Successful in 12s
This commit is contained in:
AB from home.homenet
@@ -11,15 +11,63 @@ data "authentik_flow" "default_invalidation_flow" {
|
||||
slug = var.default_invalidation_flow
|
||||
}
|
||||
|
||||
resource "authentik_group" "groups" {
|
||||
for_each = var.groups
|
||||
# Root groups (without parent)
|
||||
resource "authentik_group" "root_groups" {
|
||||
for_each = {
|
||||
for k, v in var.groups : k => v
|
||||
if v.parent == null
|
||||
}
|
||||
|
||||
name = each.value.name
|
||||
is_superuser = each.value.is_superuser
|
||||
parent = each.value.parent
|
||||
attributes = jsonencode(each.value.attributes)
|
||||
}
|
||||
|
||||
# Child groups (with parent)
|
||||
resource "authentik_group" "child_groups" {
|
||||
for_each = {
|
||||
for k, v in var.groups : k => v
|
||||
if v.parent != null
|
||||
}
|
||||
|
||||
name = each.value.name
|
||||
is_superuser = each.value.is_superuser
|
||||
parent = authentik_group.root_groups[each.value.parent].id
|
||||
attributes = jsonencode(each.value.attributes)
|
||||
|
||||
depends_on = [authentik_group.root_groups]
|
||||
}
|
||||
|
||||
# Auto-created groups for proxy applications
|
||||
resource "authentik_group" "proxy_app_groups" {
|
||||
for_each = {
|
||||
for k, v in var.proxy_applications : k => v
|
||||
if v.create_group == true
|
||||
}
|
||||
|
||||
name = "TF-${each.value.name} Users"
|
||||
is_superuser = false
|
||||
attributes = jsonencode({
|
||||
notes = "Auto-created for ${each.value.name} application"
|
||||
app_slug = each.value.slug
|
||||
})
|
||||
}
|
||||
|
||||
# Auto-created groups for OAuth applications
|
||||
resource "authentik_group" "oauth_app_groups" {
|
||||
for_each = {
|
||||
for k, v in var.oauth_applications : k => v
|
||||
if v.create_group == true
|
||||
}
|
||||
|
||||
name = "TF-${each.value.name} Users"
|
||||
is_superuser = false
|
||||
attributes = jsonencode({
|
||||
notes = "Auto-created for ${each.value.name} application"
|
||||
app_slug = each.value.slug
|
||||
})
|
||||
}
|
||||
|
||||
resource "authentik_certificate_key_pair" "certificates" {
|
||||
for_each = var.certificates
|
||||
|
||||
@@ -92,6 +140,16 @@ module "oauth_applications" {
|
||||
meta_description = each.value.meta_description
|
||||
meta_launch_url = each.value.meta_launch_url
|
||||
meta_icon = each.value.meta_icon
|
||||
scope_mappings = each.value.scope_mappings
|
||||
|
||||
# Access control - only pass explicitly defined groups
|
||||
access_groups = [
|
||||
for group_key in each.value.access_groups :
|
||||
try(
|
||||
authentik_group.root_groups[group_key].id,
|
||||
authentik_group.child_groups[group_key].id
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
module "proxy_applications" {
|
||||
@@ -119,6 +177,76 @@ module "proxy_applications" {
|
||||
meta_description = each.value.meta_description
|
||||
meta_launch_url = each.value.meta_launch_url
|
||||
meta_icon = each.value.meta_icon
|
||||
|
||||
# Access control - only pass explicitly defined groups
|
||||
access_groups = [
|
||||
for group_key in each.value.access_groups :
|
||||
try(
|
||||
authentik_group.root_groups[group_key].id,
|
||||
authentik_group.child_groups[group_key].id
|
||||
)
|
||||
]
|
||||
}
|
||||
|
||||
# Binding auto-created groups to their applications
|
||||
resource "authentik_policy_binding" "auto_group_bindings" {
|
||||
for_each = {
|
||||
for k, v in var.proxy_applications : k => v
|
||||
if v.create_group == true
|
||||
}
|
||||
|
||||
target = module.proxy_applications[each.key].application_uuid
|
||||
group = authentik_group.proxy_app_groups[each.key].id
|
||||
order = 100
|
||||
|
||||
depends_on = [
|
||||
module.proxy_applications,
|
||||
authentik_group.proxy_app_groups
|
||||
]
|
||||
}
|
||||
|
||||
# Binding auto-created groups to their OAuth applications
|
||||
resource "authentik_policy_binding" "oauth_auto_group_bindings" {
|
||||
for_each = {
|
||||
for k, v in var.oauth_applications : k => v
|
||||
if v.create_group == true
|
||||
}
|
||||
|
||||
target = module.oauth_applications[each.key].application_uuid
|
||||
group = authentik_group.oauth_app_groups[each.key].id
|
||||
order = 100
|
||||
|
||||
depends_on = [
|
||||
module.oauth_applications,
|
||||
authentik_group.oauth_app_groups
|
||||
]
|
||||
}
|
||||
|
||||
module "saml_applications" {
|
||||
source = "./modules/saml-provider"
|
||||
|
||||
for_each = var.saml_applications
|
||||
|
||||
name = each.value.name
|
||||
app_name = each.value.name
|
||||
app_slug = each.value.slug
|
||||
app_group = each.value.group
|
||||
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
|
||||
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
||||
acs_url = each.value.acs_url
|
||||
issuer = each.value.issuer
|
||||
audience = each.value.audience
|
||||
sp_binding = each.value.sp_binding
|
||||
signing_key = each.value.signing_key
|
||||
property_mappings = [for pm in each.value.property_mappings : authentik_property_mapping_provider_saml.saml_mappings[pm].id]
|
||||
name_id_mapping = each.value.name_id_mapping != null ? authentik_property_mapping_provider_saml.saml_mappings[each.value.name_id_mapping].id : null
|
||||
assertion_valid_not_before = each.value.assertion_valid_not_before
|
||||
assertion_valid_not_on_or_after = each.value.assertion_valid_not_on_or_after
|
||||
session_valid_not_on_or_after = each.value.session_valid_not_on_or_after
|
||||
policy_engine_mode = each.value.policy_engine_mode
|
||||
meta_description = each.value.meta_description
|
||||
meta_launch_url = each.value.meta_launch_url
|
||||
meta_icon = each.value.meta_icon
|
||||
}
|
||||
|
||||
locals {
|
||||
|
||||
Reference in New Issue
Block a user