181 lines
6.4 KiB
HCL
181 lines
6.4 KiB
HCL
|
|
data "authentik_flow" "default_authorization_flow" {
|
|
slug = var.default_authorization_flow
|
|
}
|
|
|
|
data "authentik_flow" "default_authentication_flow" {
|
|
slug = var.default_authentication_flow
|
|
}
|
|
|
|
data "authentik_flow" "default_invalidation_flow" {
|
|
slug = var.default_invalidation_flow
|
|
}
|
|
|
|
resource "authentik_group" "groups" {
|
|
for_each = var.groups
|
|
|
|
name = each.value.name
|
|
is_superuser = each.value.is_superuser
|
|
parent = each.value.parent
|
|
attributes = jsonencode(each.value.attributes)
|
|
}
|
|
|
|
resource "authentik_certificate_key_pair" "certificates" {
|
|
for_each = var.certificates
|
|
|
|
name = each.value.name
|
|
certificate_data = each.value.certificate_data
|
|
key_data = each.value.key_data
|
|
}
|
|
|
|
|
|
data "authentik_service_connection_kubernetes" "local_k8s" {
|
|
name = "Local Kubernetes Cluster"
|
|
}
|
|
|
|
resource "authentik_flow" "flows" {
|
|
for_each = var.flows
|
|
|
|
name = each.value.name
|
|
title = each.value.title
|
|
slug = each.value.slug
|
|
designation = each.value.designation
|
|
policy_engine_mode = each.value.policy_engine_mode
|
|
compatibility_mode = each.value.compatibility_mode
|
|
layout = each.value.layout
|
|
denied_action = each.value.denied_action
|
|
}
|
|
|
|
resource "authentik_property_mapping_provider_scope" "oidc_mappings" {
|
|
for_each = {
|
|
for k, v in var.property_mappings : k => v
|
|
if v.oidc_scope != null
|
|
}
|
|
|
|
name = each.value.name
|
|
scope_name = each.value.oidc_scope
|
|
expression = each.value.expression
|
|
}
|
|
|
|
resource "authentik_property_mapping_provider_saml" "saml_mappings" {
|
|
for_each = {
|
|
for k, v in var.property_mappings : k => v
|
|
if v.saml_name != null
|
|
}
|
|
|
|
name = each.value.name
|
|
saml_name = each.value.saml_name
|
|
expression = each.value.expression
|
|
}
|
|
|
|
module "oauth_applications" {
|
|
source = "./modules/oauth-provider"
|
|
|
|
for_each = var.oauth_applications
|
|
|
|
name = each.value.name
|
|
app_name = each.value.name
|
|
app_slug = each.value.slug
|
|
app_group = each.value.group
|
|
client_id = each.value.client_id
|
|
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
|
|
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
|
redirect_uris = each.value.redirect_uris
|
|
client_type = each.value.client_type
|
|
include_claims_in_id_token = each.value.include_claims_in_id_token
|
|
access_code_validity = each.value.access_code_validity
|
|
access_token_validity = each.value.access_token_validity
|
|
refresh_token_validity = each.value.refresh_token_validity
|
|
property_mappings = each.value.property_mappings
|
|
signing_key = each.value.signing_key
|
|
policy_engine_mode = each.value.policy_engine_mode
|
|
meta_description = each.value.meta_description
|
|
meta_launch_url = each.value.meta_launch_url
|
|
meta_icon = each.value.meta_icon
|
|
}
|
|
|
|
module "proxy_applications" {
|
|
source = "./modules/proxy-provider"
|
|
|
|
for_each = var.proxy_applications
|
|
|
|
name = each.value.name
|
|
app_name = each.value.name
|
|
app_slug = each.value.slug
|
|
app_group = each.value.group
|
|
external_host = each.value.external_host
|
|
internal_host = each.value.internal_host
|
|
internal_host_ssl_validation = each.value.internal_host_ssl_validation
|
|
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
|
|
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
|
mode = each.value.mode
|
|
intercept_header_auth = each.value.intercept_header_auth
|
|
basic_auth_enabled = each.value.basic_auth_enabled
|
|
basic_auth_user_attribute = each.value.basic_auth_username_attribute
|
|
basic_auth_password_attribute = each.value.basic_auth_password_attribute
|
|
cookie_domain = each.value.cookie_domain
|
|
skip_path_regex = each.value.skip_path_regex
|
|
policy_engine_mode = each.value.policy_engine_mode
|
|
meta_description = each.value.meta_description
|
|
meta_launch_url = each.value.meta_launch_url
|
|
meta_icon = each.value.meta_icon
|
|
}
|
|
|
|
locals {
|
|
oauth_outpost_assignments = {
|
|
for app_key, app in var.oauth_applications : app_key => app.outpost
|
|
if app.outpost != null
|
|
}
|
|
|
|
proxy_outpost_assignments = {
|
|
for app_key, app in var.proxy_applications : app_key => app.outpost
|
|
if app.outpost != null
|
|
}
|
|
|
|
outpost_providers = {
|
|
for outpost_key, outpost in var.outposts : outpost_key => concat(
|
|
[for app_key, app_outpost in local.oauth_outpost_assignments :
|
|
module.oauth_applications[app_key].provider_id if app_outpost == outpost_key],
|
|
[for app_key, app_outpost in local.proxy_outpost_assignments :
|
|
module.proxy_applications[app_key].provider_id if app_outpost == outpost_key]
|
|
)
|
|
}
|
|
}
|
|
|
|
resource "authentik_outpost" "outposts" {
|
|
for_each = {
|
|
for k, v in var.outposts : k => v
|
|
if length(lookup(local.outpost_providers, k, [])) > 0
|
|
}
|
|
|
|
name = each.value.name
|
|
type = "proxy"
|
|
protocol_providers = local.outpost_providers[each.key]
|
|
service_connection = data.authentik_service_connection_kubernetes.local_k8s.id
|
|
config = jsonencode({
|
|
log_level = "info"
|
|
docker_labels = null
|
|
authentik_host = var.authentik_url
|
|
docker_network = null
|
|
container_image = null
|
|
docker_map_ports = true
|
|
refresh_interval = "minutes=5"
|
|
kubernetes_replicas = 1
|
|
kubernetes_namespace = "authentik"
|
|
authentik_host_browser = ""
|
|
object_naming_template = "ak-outpost-%(name)s"
|
|
authentik_host_insecure = false
|
|
kubernetes_json_patches = null
|
|
kubernetes_service_type = "ClusterIP"
|
|
kubernetes_image_pull_secrets = []
|
|
kubernetes_ingress_class_name = null
|
|
kubernetes_disabled_components = []
|
|
kubernetes_ingress_annotations = {}
|
|
kubernetes_ingress_secret_name = "authentik-outpost-tls"
|
|
})
|
|
|
|
depends_on = [
|
|
module.oauth_applications,
|
|
module.proxy_applications
|
|
]
|
|
} |