deployed auth-proxy

terraform/keycloak/main.tf

@@ -35,17 +35,19 @@ resource "keycloak_oidc_google_identity_provider" "google" {
 }
 
 # =============================================================================
-# Default groups
+# Standalone groups
 # =============================================================================
 
-resource "keycloak_group" "users" {
+resource "keycloak_group" "standalone" {
+  for_each = toset(var.groups)
+
   realm_id = keycloak_realm.hexor.id
-  name     = "users"
+  name     = each.value
 }
 
 resource "keycloak_default_groups" "default" {
   realm_id  = keycloak_realm.hexor.id
-  group_ids = [keycloak_group.users.id]
+  group_ids = [for g in keycloak_group.standalone : g.id if g.name == "users"]
 }
 
 # =============================================================================
@@ -131,3 +133,40 @@ resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
     "email",
   ]
 }
+
+# =============================================================================
+# Proxy applications — auto-created groups + routes ConfigMap
+# =============================================================================
+
+resource "keycloak_group" "app" {
+  for_each = var.proxy_applications
+
+  realm_id = keycloak_realm.hexor.id
+  name     = "app-${each.key}"
+}
+
+locals {
+  app_allowed_groups = {
+    for k, v in var.proxy_applications : k => concat(
+      ["app-${k}"],
+      v.allowed_groups
+    )
+  }
+}
+
+resource "kubernetes_config_map" "auth_proxy_routes" {
+  metadata {
+    name      = "auth-proxy-routes"
+    namespace = "auth-proxy"
+  }
+
+  data = {
+    "routes.yaml" = yamlencode({
+      routes = {
+        for k, v in var.proxy_applications : v.domain => {
+          allowed_groups = local.app_allowed_groups[k]
+        }
+      }
+    })
+  }
+}