-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
122 lines (105 loc) · 4.27 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_certificate_key_pair" "default" {
name = "authentik Self-signed Certificate"
}
# LDAP generic provider setup, as per Authentik documentation https://docs.goauthentik.io/docs/providers/ldap/generic_setup
resource "authentik_stage_user_login" "ldap_generic" {
count = local.enable_generic_ldap_provider ? 1 : 0
name = "ldap-generic-user-login"
}
resource "authentik_stage_password" "ldap_generic" {
count = local.enable_generic_ldap_provider ? 1 : 0
name = "ldap-generic-password"
backends = [
"authentik.core.auth.TokenBackend",
"authentik.core.auth.InbuiltBackend",
"authentik.sources.ldap.auth.LDAPBackend"
]
}
resource "authentik_stage_identification" "ldap_generic" {
count = local.enable_generic_ldap_provider ? 1 : 0
name = "ldap-generic-identification"
user_fields = ["username", "email"]
password_stage = authentik_stage_password.ldap_generic[0].id
}
resource "authentik_flow" "ldap_generic" {
count = local.enable_generic_ldap_provider ? 1 : 0
name = "ldap-generic-flow"
title = "ldap-generic-flow"
slug = "ldap-generic-flow"
designation = "authentication"
}
resource "authentik_flow_stage_binding" "ldap_generic_identification" {
count = local.enable_generic_ldap_provider ? 1 : 0
stage = authentik_stage_identification.ldap_generic[0].id
target = authentik_flow.ldap_generic[0].uuid
order = 10
}
resource "authentik_flow_stage_binding" "ldap_generic_login" {
count = local.enable_generic_ldap_provider ? 1 : 0
stage = authentik_stage_user_login.ldap_generic[0].id
target = authentik_flow.ldap_generic[0].uuid
order = 30
}
resource "authentik_provider_ldap" "generic" {
count = local.enable_generic_ldap_provider ? 1 : 0
name = "ldap-generic-provider"
base_dn = local.ldap_provider_base_dn
bind_flow = authentik_flow.ldap_generic[0].uuid
}
resource "authentik_application" "ldap_generic" {
count = local.enable_generic_ldap_provider ? 1 : 0
name = "ldap-generic"
slug = "ldap-generic"
protocol_provider = authentik_provider_ldap.generic[0].id
}
resource "authentik_outpost" "ldap_generic" {
count = local.enable_generic_ldap_provider ? 1 : 0
name = "ldap-generic"
type = "ldap"
protocol_providers = [authentik_provider_ldap.generic[0].id]
}
# Scope mapping
data "authentik_property_mapping_provider_scope" "scope_mappings" {
for_each = { for mapping in local.authentik_config.scope_mappings : mapping.name => mapping }
managed_list = each.value.managed_list
}
# OAuth2 provider and application
resource "authentik_provider_oauth2" "oauth2_providers" {
depends_on = [ data.authentik_property_mapping_provider_scope.scope_mappings ]
for_each = { for provider in local.authentik_config.providers : provider.name => provider }
name = each.value.name
client_id = each.value.client_id
client_secret = each.value.client_secret
authorization_flow = data.authentik_flow.default_authorization_flow.id
property_mappings = data.authentik_property_mapping_provider_scope.scope_mappings[each.value.property_mappings].ids
signing_key = data.authentik_certificate_key_pair.default.id
redirect_uris = each.value.redirect_uris
}
resource "authentik_application" "applications" {
for_each = { for app in local.authentik_config.applications : app.name => app }
name = each.value.name
slug = each.value.slug
protocol_provider = authentik_provider_oauth2.oauth2_providers[each.value.provider].id
}
# Users and groups
resource "authentik_user" "users" {
for_each = { for user in local.authentik_config.users : user.username => user }
username = each.value.username
email = each.value.email
name = each.value.name
password = each.value.password
type = lookup(each.value, "type", "internal")
lifecycle {
ignore_changes = [
password
]
}
}
resource "authentik_group" "groups" {
for_each = { for group in local.authentik_config.groups : group.name => group }
name = each.value.name
users = [for user in each.value.users : authentik_user.users[user].id]
}