feat: add argo workflows

2024-03-13 15:20:32 +01:00 · 2024-03-13 15:20:32 +01:00 · 2c7de2fb4c
commit 2c7de2fb4c
parent 8994143831
11 changed files with 254 additions and 0 deletions
--- a/tofu/adguard/main.tf
+++ b/tofu/adguard/main.tf
@ -90,3 +90,18 @@ resource "adguard_rewrite" "authentik" {
  domain = "auth.fukurokuju.dev"
  answer = "192.168.1.12"
 }
+
+resource "adguard_rewrite" "ci_local_1" {
+  domain = "ci.fuku"
+  answer = "192.168.1.31"
+}
+
+resource "adguard_rewrite" "ci_local_2" {
+  domain = "ci.fuku"
+  answer = "192.168.1.32"
+}
+
+resource "adguard_rewrite" "ci_local_3" {
+  domain = "ci.fuku"
+  answer = "192.168.1.33"
+}
--- a/tofu/authentik/.terraform.lock.hcl
+++ b/tofu/authentik/.terraform.lock.hcl
@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/goauthentik/authentik" {
+  version     = "2024.2.0"
+  constraints = "2024.2.0"
+  hashes = [
+    "h1:AeyEcplt1WTQijM1d2E1pBPemcL57WC5bZr7y1XNui4=",
+    "zh:03b13879c66d1536f250c91f61ba078cc34af2fec271ea19c838a719dd4f1baa",
+    "zh:1c4d93aa3de72e4b00ac33fc0d4134fc5a641b863e9cd9afdc1105a4024fc8f0",
+    "zh:50d2f5b71ea5410633dbc8b143bef6fa77a9670a07a3fd85f9921e1094ab416e",
+    "zh:5320a267adb8506c23941df1c4cba56a176d0b9e0441f247fe714d34a514fcc8",
+    "zh:58376699c8941c109e49db7edfca4f83ec47b5b46619346380ca79d50902623e",
+    "zh:61f86a37dcb30167d1bfb84428b821de10c73cdec1ef911f167991ebc7eb9cd5",
+    "zh:6e99b5cf0f5987e3e3e24e26af12084f741a0f0b79a04d0b7e6703525cf4633e",
+    "zh:81c39322353f7da1c84c4ec82b6e7de70131156b256de21aee741240694e5bef",
+    "zh:bbec3872accea0294c86f812d668f9e2e8255b3d1f7424b39ddc261d6d02e036",
+    "zh:c1b56e5c4e82c683baf7854153caa85c600001ca6d1405f0d82a1aa29a600375",
+    "zh:cf4e41422aba2435f68bf1cf6c1e83315fe70c810dfd7e81a581d94490d6870b",
+    "zh:d86a2383e7fae38c9ea80f87d27d34d46a13fa24579b4612a248c888a3c9e265",
+    "zh:df693bc3156a2d632843abad9294d9192d1569039800c59e8a594c1b8e0fc9df",
+    "zh:e1a7148102d5a169dfb24c0de8441f3a9c25363976f4f2ce97f4c0b2e904302c",
+  ]
+}
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@ -0,0 +1,32 @@
+terraform {
+  backend "s3" {
+    bucket = "fuku-terraform"
+    key    = "authentik/terraform"
+    region = "us-east-1"
+  }
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+  }
+}
+
+data "authentik_user" "catalin" {
+  username = "catalin"
+}
+
+resource "authentik_group" "ci" {
+  name  = "ci"
+  users = [data.authentik_user.catalin.id]
+}
+
+module "argo-workflows" {
+  source              = "../modules/authentik"
+  app_name            = "Argo Workflows"
+  app_slug            = "argo-workflows"
+  client_id           = var.argo_workflows_client_id
+  client_secret       = var.argo_workflows_client_secret
+  app_access_group_id = authentik_group.ci.id
+  redirect_uris = ["https://ci.fuku/oauth2/callback"]
+}
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@ -0,0 +1,4 @@
+ AUTHENTIK_URL=https://auth.fukurokuju.dev
+ AUTHENTIK_TOKEN=
+ TF_VAR_argo_workflows_client_id=
+ TF_VAR_argo_workflows_client_secret=
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@ -0,0 +1,9 @@
+variable "argo_workflows_client_id" {
+  description = "Client ID"
+  type        = string
+}
+
+variable "argo_workflows_client_secret" {
+  description = "Client secret"
+  type        = string
+}
--- a/tofu/modules/authentik/main.tf
+++ b/tofu/modules/authentik/main.tf
@ -0,0 +1,45 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+  }
+}
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_scope_mapping" "default-scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-profile",
+    "goauthentik.io/providers/oauth2/scope-offline_access",
+  ]
+}
+
+
+resource "authentik_provider_oauth2" "provider_oidc" {
+  name               = var.app_name
+  client_id          = var.client_id
+  client_secret      = var.client_secret
+  authorization_flow = data.authentik_flow.default-authorization-flow.id
+  redirect_uris      = var.redirect_uris
+  property_mappings  = data.authentik_scope_mapping.default-scopes.ids
+  sub_mode           = var.sub_mode
+  signing_key        = var.oidc_signing_key
+}
+
+
+resource "authentik_application" "app" {
+  name              = var.app_name
+  slug              = var.app_slug
+  protocol_provider = authentik_provider_oauth2.provider_oidc.id
+
+}
+resource "authentik_policy_binding" "app_access" {
+  target = authentik_application.app.uuid
+  group  = var.app_access_group_id
+  order  = 0
+}
--- a/tofu/modules/authentik/vars.tf
+++ b/tofu/modules/authentik/vars.tf
@ -0,0 +1,40 @@
+variable "app_name" {
+  description = "App name"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
+  type        = string
+}
+
+variable "client_id" {
+  description = "Client ID"
+  type        = string
+}
+
+variable "client_secret" {
+  description = "Client secret"
+  type        = string
+}
+
+variable "app_access_group_id" {
+  description = "ID of a group which will have access to the app"
+  type        = string
+}
+
+variable "redirect_uris" {
+  description = "List of URIs allowed to redirect to"
+  type        = list(string)
+}
+
+variable "sub_mode" {
+  type = string
+  default = "user_username"
+}
+
+variable "oidc_signing_key" {
+  type        = string
+  description = "Signing key"
+  default     = "c4ff5edf-3cad-4093-9326-44fea088e670"
+}