variable "oauth_applications" {
  description = "Map of OAuth2/OpenID applications"
  type = map(object({
    name                       = string
    slug                       = string
    group                      = optional(string, "")
    policy_engine_mode         = optional(string, "all")
    meta_description           = optional(string, "")
    meta_launch_url            = optional(string, "")
    meta_icon                  = optional(string, "")
    redirect_uris              = list(string)
    client_type                = optional(string, "confidential")
    client_id                  = optional(string, null)
    include_claims_in_id_token = optional(bool, true)
    access_code_validity       = optional(string, "minutes=1")
    access_token_validity      = optional(string, "minutes=5")
    refresh_token_validity     = optional(string, "days=30")
    property_mappings          = optional(list(string), [])
    authorization_flow         = optional(string, null)
    signing_key                = optional(string, null)
    outpost                    = optional(string, null)
    create_group               = optional(bool, false)
    access_groups              = optional(list(string), [])
    scope_mappings             = optional(list(string), ["openid", "profile", "email"])
  }))
  default = {}
}

variable "proxy_applications" {
  description = "Map of Proxy applications"
  type = map(object({
    name                          = string
    slug                          = string
    group                         = optional(string, "")
    policy_engine_mode            = optional(string, "all")
    meta_description              = optional(string, "")
    meta_launch_url               = optional(string, "")
    meta_icon                     = optional(string, "")
    external_host                 = string
    internal_host                 = optional(string, "")
    internal_host_ssl_validation  = optional(bool, true)
    mode                          = optional(string, "proxy")
    intercept_header_auth         = optional(bool, false)
    basic_auth_enabled            = optional(bool, false)
    basic_auth_username_attribute = optional(string, "")
    basic_auth_password_attribute = optional(string, "")
    cookie_domain                 = optional(string, "")
    authorization_flow            = optional(string, null)
    skip_path_regex               = optional(string, "")
    outpost                       = optional(string, null)
    create_group                  = optional(bool, false)
    access_groups                 = optional(list(string), [])
  }))
  default = {}
}

variable "saml_applications" {
  description = "Map of SAML applications"
  type = map(object({
    name                            = string
    slug                            = string
    group                           = optional(string, "")
    policy_engine_mode              = optional(string, "all")
    meta_description                = optional(string, "")
    meta_launch_url                 = optional(string, "")
    meta_icon                       = optional(string, "")
    acs_url                         = string
    issuer                          = string
    audience                        = string
    sp_binding                      = optional(string, "post")
    signing_key                     = optional(string, null)
    property_mappings               = optional(list(string), [])
    name_id_mapping                 = optional(string, null)
    assertion_valid_not_before      = optional(string, "minutes=-5")
    assertion_valid_not_on_or_after = optional(string, "minutes=5")
    session_valid_not_on_or_after   = optional(string, "minutes=86400")
    authorization_flow              = optional(string, null)
  }))
  default = {}
}

variable "outposts" {
  description = "Map of Outposts (only proxy type supported)"
  type = map(object({
    name   = string
    config = optional(map(any), {})
  }))
  default = {}
}

variable "flows" {
  description = "Map of authentication flows"
  type = map(object({
    name               = string
    title              = string
    slug               = string
    designation        = string
    policy_engine_mode = optional(string, "all")
    compatibility_mode = optional(bool, false)
    layout             = optional(string, "stacked")
    denied_action      = optional(string, "message_continue")
  }))
  default = {}
}

variable "groups" {
  description = "Map of user groups"
  type = map(object({
    name         = string
    is_superuser = optional(bool, false)
    parent       = optional(string, null)
    attributes   = optional(map(any), {})
  }))
  default = {}
}

variable "certificates" {
  description = "Map of certificates for HTTPS"
  type = map(object({
    name             = string
    certificate_data = string
    key_data         = string
    managed          = optional(string, null)
  }))
  default = {}
}

variable "property_mappings" {
  description = "Custom property mappings for SAML/OAuth"
  type = map(object({
    name       = string
    expression = string
    saml_name  = optional(string, null)
    oidc_scope = optional(string, null)
  }))
  default = {}
}


variable "default_authorization_flow" {
  description = "Default authorization flow slug"
  type        = string
  default     = "default-provider-authorization-implicit-consent"
}

variable "default_authentication_flow" {
  description = "Default authentication flow slug"
  type        = string
  default     = "default-authentication-flow"
}

variable "default_invalidation_flow" {
  description = "Default invalidation flow slug"
  type        = string
  default     = "default-provider-invalidation-flow"
}

variable "tags" {
  description = "Tags to apply to all resources"
  type        = map(string)
  default     = {}
}

variable "authentik_url" {
  description = "Authentik URL"
  type        = string
  default     = "https://idm.hexor.cy"
}