fix

apps/code-server/forward.tf

@@ -8,7 +8,7 @@ locals {
   forward-outpost-pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
   app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
   app-icon = "_static/src/browser/media/favicon-dark-support.svg"
-  main-group = format("%s-users", local.app-name)
+  main-group = format("app-%s", local.app-name)
   sub-groups = []
   external-url = format("https://%s", local.dns-names[0])
   access-token-validity = "hours=10" // ;minutes=10
@@ -68,6 +68,7 @@ resource "authentik_application" "prj_application" {
 
 resource "authentik_group" "prj_users" {
   name         = local.main-group
+  attributes   = jsonencode({local.app-name = true})
 }
 
 resource "authentik_group" "subgroup" {
@@ -76,6 +77,14 @@ resource "authentik_group" "subgroup" {
   parent       = authentik_group.prj_users.id
 }
 
+resource "authentik_policy_expression" "policy" {
+  name       = local.main-group
+  expression = <<-EOF
+    attr = request.user.group_attributes()
+    return attr['${local.app-name}'] if '${local.app-name}' in attr else False
+  EOF
+}
+
 data "authentik_group" "vynil-admin" {
   depends_on = [authentik_group.prj_users] # fake dependency so it is not evaluated at plan stage
   name = "vynil-forward-admins"
@@ -83,7 +92,7 @@ data "authentik_group" "vynil-admin" {
 
 resource "authentik_policy_binding" "prj_access_users" {
   target = authentik_application.prj_application.uuid
-  group  = authentik_group.prj_users.id
+  policy = authentik_policy_expression.policy.id
   order  = 0
 }
 resource "authentik_policy_binding" "prj_access_vynil" {