data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_certificate_key_pair" "ecdsa" {
name = "auth.serguzim.me"
}
data "authentik_certificate_key_pair" "rsa" {
name = "authentik Self-signed Certificate"
}
data "authentik_property_mapping_provider_scope" "default_scopes" {
managed_list = [
"goauthentik.io/providers/oauth2/scope-email",
"goauthentik.io/providers/oauth2/scope-openid",
"goauthentik.io/providers/oauth2/scope-profile"
]
}
resource "authentik_user" "default" {
username = "serguzim"
name = "Tobias Reisinger"
email = "tobias@msrg.cc"
}
resource "authentik_property_mapping_provider_scope" "minio" {
name = "minio"
scope_name = "minio"
expression = <<EOF
if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
return {
"minio_policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
return {
"minio_policy": "readonly"
}
return None
EOF
}
resource "authentik_group" "minio_admins" {
name = "Minio admins"
users = [authentik_user.default.id]
}
resource "authentik_group" "minio_users" {
name = "Minio users"
users = []
}
resource "authentik_provider_oauth2" "service_providers" {
for_each = local.services_auth
name = each.key
client_type = "confidential"
client_id = each.key
authorization_flow = data.authentik_flow.default_authorization_flow.id
redirect_uris = each.value.auth_redirects
property_mappings = flatten([
data.authentik_property_mapping_provider_scope.default_scopes.ids,
each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
])
signing_key = (each.value.auth_cert == "rsa" ?
data.authentik_certificate_key_pair.rsa.id :
data.authentik_certificate_key_pair.ecdsa.id)
}
resource "authentik_application" "service_applications" {
for_each = local.services_auth
name = each.key
slug = replace(each.value.dns[0].domain, ".", "-")
protocol_provider = authentik_provider_oauth2.service_providers[each.key].id
}