data "kubernetes_secret_v1" "authentik" {
  metadata {
    name = "authentik"
    namespace = "${var.domain}-auth"
  }
}

data "authentik_property_mapping_scim" "user" {
  managed = "goauthentik.io/providers/scim/user"
}

data "authentik_property_mapping_scim" "group" {
  managed = "goauthentik.io/providers/scim/group"
}

resource "authentik_provider_scim" "scim" {
  name                    = "${var.component}-${var.instance}-scim"
  url                     = "http://${var.instance}-scimgateway.${var.namespace}.svc.cluster.local/scim"
  token                   = local.secrets.authentik
  property_mappings       = [data.authentik_property_mapping_scim.user.id]
  property_mappings_group = [data.authentik_property_mapping_scim.group.id]
}


// Work-around missing features in the provider
locals {
  authentik_url = "http://authentik.${var.domain}-auth.svc"
  authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
  request_headers = {
    "Content-Type"  = "application/json"
    Authorization   = "Bearer ${local.authentik_token}"
  }
}

provider "restapi" {
  uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
  headers = local.request_headers
  create_method = "PATCH"
  update_method = "PATCH"
  destroy_method = "PATCH"
  write_returns_object = true
  id_attribute = "name"
}

resource "restapi_object" "scim_config_limit_user" {
  path = "/providers/scim/${authentik_provider_scim.scim.id}/"
  data = jsonencode({
    name = authentik_provider_scim.scim.name
    exclude_users_service_account = true
    filter_group = authentik_group.groups.id
  })
}