Move terraform files into modules

modules/services/authentik.tf

@@ -0,0 +1,33 @@
+data "authentik_flow" "default_authorization_flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_certificate_key_pair" "default" {
+  name = "auth.serguzim.me"
+}
+
+data "authentik_property_mapping_provider_scope" "default_scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
+}
+
+resource "authentik_provider_oauth2" "service_providers" {
+  for_each           = local.services_auth
+  name               = each.value.name
+  client_type        = "confidential"
+  client_id          = each.value.name
+  authorization_flow = data.authentik_flow.default_authorization_flow.id
+  redirect_uris      = each.value.auth_redirects
+  property_mappings  = data.authentik_property_mapping_provider_scope.default_scopes.ids
+  signing_key        = data.authentik_certificate_key_pair.default.id
+}
+
+resource "authentik_application" "service_applications" {
+  for_each          = local.services_auth
+  name              = each.value.name
+  slug              = "${each.value.subdomain}-serguzim-me"
+  protocol_provider = authentik_provider_oauth2.service_providers[each.key].id
+}

modules/services/main.tf

@@ -0,0 +1,33 @@
+terraform {
+  required_providers {
+    authentik = {
+      source = "goauthentik/authentik"
+      version = "~> 2024.8.0"
+    }
+    postgresql = {
+      source = "cyrilgdn/postgresql"
+      version = "~> 1.23.0"
+    }
+  }
+}
+
+provider "authentik" {
+  url   = "${var.authentik_url}"
+  token = "${var.authentik_token}"
+}
+
+provider "postgresql" {
+  host            = "${var.postgresql_host}"
+  port            = "${var.postgresql_port}"
+  database        = "postgres"
+  username        = "${var.postgresql_username}"
+  password        = "${var.postgresql_password}"
+  sslmode         = "verify-full"
+  connect_timeout = 15
+}
+
+locals {
+  services_auth = {for key, val in var.services : key => val if val.auth}
+  services_database = {for key, val in var.services : key => val if val.database}
+  services_s3 = {for key, val in var.services : key => val if val.s3}
+}

modules/services/output.tf

@@ -0,0 +1,21 @@
+output "authentik_data" {
+  value = {
+    for key in keys(authentik_application.service_applications) : key => {
+      "base_url"      = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/"
+      "client_id"     = authentik_provider_oauth2.service_providers[key].client_id
+      "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
+    }
+  }
+  sensitive = true
+}
+
+output "postgresql_data" {
+  value = {
+    for key in keys(postgresql_database.service_databases) : key => {
+      "user"      = postgresql_role.service_roles[key].name
+      "pass"      = postgresql_role.service_roles[key].password
+      "database"  = postgresql_database.service_databases[key].name
+    }
+  }
+  sensitive = true
+}

modules/services/postgresql.tf

@@ -0,0 +1,18 @@
+resource "random_password" "postgresql_service_passwords" {
+  for_each = local.services_database
+  length  = 32
+  special = false
+}
+
+resource "postgresql_role" "service_roles" {
+  for_each = local.services_database
+  name     = each.value.name
+  login    = true
+  password = random_password.postgresql_service_passwords[each.key].result
+}
+
+resource "postgresql_database" "service_databases" {
+  for_each = local.services_database
+  name     = each.value.name
+  owner    = postgresql_role.service_roles[each.key].name
+}

modules/services/variables.tf

@@ -0,0 +1,33 @@
+variable "authentik_url" {
+}
+
+variable "authentik_token" {
+  sensitive = true
+}
+
+
+variable "postgresql_host" {
+}
+
+variable "postgresql_port" {
+}
+
+variable "postgresql_username" {
+  sensitive = true
+}
+
+variable "postgresql_password" {
+  sensitive = true
+}
+
+
+variable "services" {
+  type = map(object({
+    name = string
+    subdomain = string
+    auth = bool
+    auth_redirects = optional(list(string))
+    s3 = bool
+    database = bool
+  }))
+}