locals {
  app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
  main-group = format("app-%s", local.app_name)
}
data "authentik_group" "akadmin" {
  name = "authentik Admins"
}
resource "authentik_group" "groups" {
  name         = local.main-group
  attributes   = jsonencode({"${local.app_name}" = true})
}

resource "authentik_application" "prj_app" {
  name              = "${var.instance}"
  slug              = "${var.instance}-${var.component}"
  #protocol_provider = authentik_provider_oauth2.oauth2.id
  group             = var.app_group
  backchannel_providers = [authentik_provider_scim.scim.id]
  meta_launch_url   = format("https://%s.%s", var.sub_domain, var.domain_name)
  meta_icon         = format("https://%s.%s/%s", var.sub_domain, var.domain_name, "favicon-32x32.png")
}

resource "authentik_policy_expression" "policy" {
  name       = local.main-group
  expression = <<-EOF
    attr = request.user.group_attributes()
    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
  EOF
}

resource "authentik_policy_binding" "prj_access_users" {
  target = authentik_application.prj_app.uuid
  policy = authentik_policy_expression.policy.id
  order  = 0
}
resource "authentik_policy_binding" "prj_access_vynil" {
  target = authentik_application.prj_app.uuid
  group  = data.authentik_group.akadmin.id
  order  = 1
}