Refacto forward

forward/forward.tf

@@ -3,9 +3,10 @@ locals {
   forward_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "authentik-forward"
   })
-  external_url = format("https://%s", var.dns_name)
-  forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
-  forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
+  external_url              = format("https://%s", var.dns_name)
+  forward_outpost_results   = jsondecode(data.http.get_forward_outpost.response_body).results
+  forward_outpost_providers = local.forward_outpost_results[0].providers
+  forward_outpost_pk        = local.forward_outpost_results[0].pk
 }
 
 data "authentik_flow" "default_authorization_flow" {
@@ -33,6 +34,66 @@ data "http" "get_forward_outpost" {
   }
 }
 
+data "kubernetes_ingress_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
+
+## Begin modification
+data "kubernetes_secret_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
+
+resource "authentik_service_connection_kubernetes" "local" {
+  # count      = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0
+  depends_on = [data.kubernetes_secret_v1.authentik]
+  name       = "${var.domain}-local-forward"
+  local      = true
+}
+
+# data "authentik_flow" "default_authorization_flow" {
+#   count      = length(local.forward_outpost_results) == 0 ? 1 : 0
+#   depends_on = [authentik_service_connection_kubernetes.local]
+#   slug       = "default-provider-authorization-implicit-consent"
+# }
+
+resource "authentik_provider_proxy" "provider_forward" {
+  # count              = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0
+  name               = "authentik-${var.domain}-forward-provider"
+  internal_host      = "http://authentik-authentik"
+  external_host      = "http://authentik-authentik"
+  authorization_flow = data.authentik_flow.default_authorization_flow.id
+}
+
+resource "authentik_outpost" "output_forward" {
+  # count              = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0
+  name               = "forward"
+  type               = "proxy"
+  service_connection = authentik_service_connection_kubernetes.local.id
+  config = jsonencode({
+    "log_level" : "info",
+    "authentik_host" : "http://authentik",
+    "docker_map_ports" : true,
+    "kubernetes_replicas" : 1,
+    "kubernetes_namespace" : var.namespace,
+    "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
+    "object_naming_template" : "ak-outpost-%(name)s",
+    "authentik_host_insecure" : false,
+    "kubernetes_service_type" : "ClusterIP",
+    "kubernetes_image_pull_secrets" : [],
+    "kubernetes_disabled_components" : [],
+    "kubernetes_ingress_annotations" : {},
+    "kubernetes_ingress_secret_name" : var.ingress_certificat_secret_name
+  })
+  protocol_providers = local.forward_outpost_providers
+}
+## End modification
+
 resource "restapi_object" "forward_outpost_binding" {
   path = "/outposts/instances/${local.forward_outpost_pk}/"
   data = jsonencode({
@@ -67,10 +128,3 @@ resource "kubectl_manifest" "middleware" {
         - X-authentik-meta-version
   EOF
 }
-
-data "kubernetes_ingress_v1" "authentik" {
-  metadata {
-    name      = "authentik"
-    namespace = "${var.domain}-auth"
-  }
-}

forward/providers.tf

@@ -1,5 +1,10 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "~> 1.14.0"

forward/variables.tf

@@ -30,3 +30,7 @@ variable "access_token_validity" {
 variable "request_headers" {
   type = map(string)
 }
+
+variable "ingress_certificat_secret_name" {
+  type = string
+}