53 lines
1.6 KiB
HCL
53 lines
1.6 KiB
HCL
data "kubernetes_secret_v1" "authentik" {
|
|
metadata {
|
|
name = "authentik"
|
|
namespace = "${var.domain}-auth"
|
|
}
|
|
}
|
|
|
|
data "authentik_property_mapping_scim" "user" {
|
|
managed = "goauthentik.io/providers/scim/user"
|
|
}
|
|
|
|
data "authentik_property_mapping_scim" "group" {
|
|
managed = "goauthentik.io/providers/scim/group"
|
|
}
|
|
|
|
resource "authentik_provider_scim" "scim" {
|
|
name = "${var.instance}-${var.component}-scim"
|
|
url = "http://${var.instance}-scimgateway.${var.namespace}.svc.cluster.local/scim"
|
|
token = local.secrets.authentik
|
|
property_mappings = [data.authentik_property_mapping_scim.user.id]
|
|
property_mappings_group = [data.authentik_property_mapping_scim.group.id]
|
|
}
|
|
|
|
|
|
// Work-around missing features in the provider
|
|
locals {
|
|
authentik_url = "http://authentik.${var.domain}-auth.svc"
|
|
authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
|
|
request_headers = {
|
|
"Content-Type" = "application/json"
|
|
Authorization = "Bearer ${local.authentik_token}"
|
|
}
|
|
}
|
|
|
|
provider "restapi" {
|
|
uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
|
|
headers = local.request_headers
|
|
create_method = "PATCH"
|
|
update_method = "PATCH"
|
|
destroy_method = "PATCH"
|
|
write_returns_object = true
|
|
id_attribute = "name"
|
|
}
|
|
|
|
resource "restapi_object" "scim_config_limit_user" {
|
|
path = "/providers/scim/${authentik_provider_scim.scim.id}/"
|
|
data = jsonencode({
|
|
name = authentik_provider_scim.scim.name
|
|
exclude_users_service_account = true
|
|
filter_group = authentik_group.groups.id
|
|
})
|
|
}
|