Hane/fukuops
1
0
Fork 0
forked from catalin/fukuops
Code Pull requests Packages 1 Activity

feat: add authentik-{proxy,oidc} module

Browse source
This commit is contained in:
cătălin 2024-07-17 17:05:29 +02:00
commit 9d6464a7af
No known key found for this signature in database
5 changed files with 118 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tofu/authentik/main.tf
View file

@ -28,7 +28,7 @@ resource "authentik_group" "admins" {
} }
module "argo-workflows" { module "argo-workflows" {
source = "../modules/authentik" source = "../modules/authentik-oidc"
app_name = "Argo Workflows" app_name = "Argo Workflows"
app_slug = "argo-workflows" app_slug = "argo-workflows"
client_id = var.argo_workflows_client_id client_id = var.argo_workflows_client_id
@ -42,7 +42,7 @@ module "argo-workflows" {
} }
module "firezone" { module "firezone" {
source = "../modules/authentik" source = "../modules/authentik-oidc"
app_name = "Firezone" app_name = "Firezone"
app_slug = "firezone" app_slug = "firezone"
client_id = var.firezone_client_id client_id = var.firezone_client_id
@ -57,7 +57,7 @@ module "firezone" {
} }
module "gitea" { module "gitea" {
source = "../modules/authentik" source = "../modules/authentik-oidc"
app_name = "Gitea" app_name = "Gitea"
app_slug = "gitea" app_slug = "gitea"
client_id = var.gitea_client_id client_id = var.gitea_client_id
@ -72,7 +72,7 @@ module "gitea" {
} }
module "miniflux" { module "miniflux" {
source = "../modules/authentik" source = "../modules/authentik-oidc"
app_name = "Miniflux" app_name = "Miniflux"
app_slug = "miniflux" app_slug = "miniflux"
client_id = var.miniflux_client_id client_id = var.miniflux_client_id

22
tofu/modules/authentik/main.tf → tofu/modules/authentik-oidc/main.tf
View file

@ -7,10 +7,15 @@ terraform {
} }
} }
} }
data "authentik_flow" "default-authorization-flow" { data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
data "authentik_scope_mapping" "default-scopes" { data "authentik_scope_mapping" "default-scopes" {
managed_list = [ managed_list = [
"goauthentik.io/providers/oauth2/scope-email", "goauthentik.io/providers/oauth2/scope-email",
@ -22,14 +27,15 @@ data "authentik_scope_mapping" "default-scopes" {
resource "authentik_provider_oauth2" "provider_oidc" { resource "authentik_provider_oauth2" "provider_oidc" {
name = var.app_name name = var.app_name
client_id = var.client_id client_id = var.client_id
client_secret = var.client_secret client_secret = var.client_secret
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default-authorization-flow.id
redirect_uris = var.redirect_uris authentication_flow = data.authentik_flow.default-authentication-flow.id
property_mappings = data.authentik_scope_mapping.default-scopes.ids redirect_uris = var.redirect_uris
sub_mode = var.sub_mode property_mappings = data.authentik_scope_mapping.default-scopes.ids
signing_key = var.oidc_signing_key sub_mode = var.sub_mode
signing_key = var.oidc_signing_key
} }

0
tofu/modules/authentik/vars.tf → tofu/modules/authentik-oidc/vars.tf
View file

46
tofu/modules/authentik-proxy/main.tf Normal file
View file

@ -0,0 +1,46 @@
terraform {
required_version = ">= 1.6"
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2024.2.0"
}
}
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
resource "authentik_provider_proxy" "provider_proxy" {
authorization_flow = data.authentik_flow.default-authorization-flow.id
authentication_flow = data.authentik_flow.default-authentication-flow.id
external_host = var.app_url
internal_host = var.internal_host
name = var.app_name
internal_host_ssl_validation = var.internal_host_ssl_validation
}
resource "authentik_application" "app" {
name = var.app_name
slug = var.app_slug
protocol_provider = authentik_provider_proxy.provider_proxy.id
open_in_new_tab = var.open_in_new_tab
meta_icon = var.app_icon
meta_description = var.app_description
meta_publisher = var.app_publisher
meta_launch_url = var.app_url
}
resource "authentik_policy_binding" "app_access" {
target = authentik_application.app.uuid
group = var.app_access_group_id
order = 0
count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
}

54
tofu/modules/authentik-proxy/vars.tf Normal file
View file

@ -0,0 +1,54 @@
variable "app_name" {
description = "App name"
type = string
}
variable "app_slug" {
description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
type = string
}
variable "app_access_group_id" {
description = "ID of a group which will have access to the app"
type = string
}
variable "open_in_new_tab" {
type = bool
description = "Open apps in a new tab"
default = true
}
variable "app_icon" {
type = string
default = ""
}
variable "app_description" {
type = string
default = ""
}
variable "app_publisher" {
type = string
default = ""
}
variable "app_url" {
type = string
default = ""
}
variable "internal_host" {
description = "Internal, upstream host authentik will proxy to"
type = string
}
variable "internal_host_ssl_validation" {
description = "Validate SSL certificate of the upstream servers"
type = bool
default = false
}