terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = ">= 2023.10.0"
    }
  }
}

resource "authentik_provider_proxy" "provider" {
  name                         = var.name
  external_host               = var.external_host
  internal_host               = var.internal_host
  internal_host_ssl_validation = var.internal_host_ssl_validation
  authorization_flow          = var.authorization_flow
  invalidation_flow           = var.invalidation_flow
  mode                        = var.mode
  cookie_domain              = var.cookie_domain
  skip_path_regex            = var.skip_path_regex
  intercept_header_auth      = var.intercept_header_auth
  basic_auth_enabled         = var.basic_auth_enabled
  basic_auth_password_attribute = var.basic_auth_password_attribute
  
  property_mappings          = var.property_mappings
}

resource "authentik_application" "app" {
  name                = var.app_name
  slug                = var.app_slug
  protocol_provider   = authentik_provider_proxy.provider.id
  group              = var.app_group
  policy_engine_mode = var.policy_engine_mode
  meta_description   = var.meta_description
  meta_launch_url    = var.meta_launch_url
  meta_icon          = var.meta_icon
}

resource "authentik_policy_binding" "app_access" {
  for_each = var.access_policies

  target = authentik_application.app.id
  policy = each.value.policy_id
  order  = each.value.order
  
  enabled        = lookup(each.value, "enabled", true)
  timeout        = lookup(each.value, "timeout", 30)
  negate         = lookup(each.value, "negate", false)
  failure_result = lookup(each.value, "failure_result", true)
}