diff --git a/application/application.tf b/application/application.tf index 1827782..96d0704 100644 --- a/application/application.tf +++ b/application/application.tf @@ -7,13 +7,14 @@ data "authentik_group" "akadmin" { } resource "authentik_group" "groups" { name = local.main_group - attributes = jsonencode({ "${local.app_name}" = true }) + attributes = jsonencode({ "${local.app_name}" = var.attributes }) } resource "authentik_group" "subgroup" { count = length(var.sub_groups) name = format("%s-%s", local.main_group, var.sub_groups[count.index]) parent = authentik_group.groups.id + attributes = length(var.sub_groups_attributes)>count.index?jsonencode({ "${local.app_name}" = var.sub_groups_attributes[count.index] }):jsonencode({ "${local.app_name}" = var.attributes }) } resource "authentik_application" "prj_app" { @@ -30,7 +31,7 @@ resource "authentik_policy_expression" "policy" { name = local.main_group expression = <<-EOF attr = request.user.group_attributes() - return attr['${local.app_name}'] if '${local.app_name}' in attr else False + return True if '${local.app_name}' in attr else False EOF } diff --git a/application/variables.tf b/application/variables.tf index 3a6d05b..34ca74c 100644 --- a/application/variables.tf +++ b/application/variables.tf @@ -26,3 +26,9 @@ variable "backchannel_providers" { type = list(number) default = null } +variable "attributes" { + default = {enable = true} +} +variable "sub_groups_attributes" { + default = [] +} diff --git a/oauth2/oauth2.tf b/oauth2/oauth2.tf index b3f65b4..8564ccb 100644 --- a/oauth2/oauth2.tf +++ b/oauth2/oauth2.tf @@ -4,29 +4,9 @@ locals { "app.kubernetes.io/component" = "authentik-oauth2" }) } -resource "kubectl_manifest" "oauth2-secret" { - ignore_fields = ["metadata.annotations"] - yaml_body = <<-EOF - apiVersion: "secretgenerator.mittwald.de/v1alpha1" - kind: "StringSecret" - metadata: - name: "${local.app_slug}-id" - namespace: "${var.namespace}" - labels: ${jsonencode(local.oauth2_labels)} - spec: - forceRegenerate: false - fields: - - fieldName: "client-id" - length: "32" - EOF -} -data "kubernetes_secret_v1" "oauth2-client-id" { - depends_on = [kubectl_manifest.oauth2-secret] - metadata { - name = kubectl_manifest.oauth2-secret.name - namespace = var.namespace - labels = local.oauth2_labels - } +resource "random_password" "client_id" { + length = 32 + special = false } data "authentik_certificate_key_pair" "ca" { @@ -49,7 +29,7 @@ data "authentik_flow" "default-authentication-flow" { resource "authentik_provider_oauth2" "oauth2" { name = "${local.app_slug}" - client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] + client_id = random_password.client_id.result authentication_flow = data.authentik_flow.default-authentication-flow.id authorization_flow = data.authentik_flow.default-authorization-flow.id client_type = "confidential" @@ -61,6 +41,17 @@ resource "authentik_provider_oauth2" "oauth2" { ] } +resource "kubernetes_secret_v1" "oauth2-client-id" { + metadata { + name = "${local.app_slug}-id" + namespace = var.namespace + labels = local.oauth2_labels + } + data = { + client-id = random_password.client_id.result + } +} + resource "kubernetes_secret_v1" "oauth2-client-secret" { metadata { name = "${local.app_slug}-secret" @@ -68,6 +59,7 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" { labels = local.oauth2_labels } data = { + client-id = random_password.client_id.result client-secret = authentik_provider_oauth2.oauth2.client_secret } } diff --git a/oauth2/outputs.tf b/oauth2/outputs.tf index c7cc20c..f852d97 100644 --- a/oauth2/outputs.tf +++ b/oauth2/outputs.tf @@ -18,14 +18,14 @@ output "sso_token_url" { value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/" } output "client_id" { - value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] + value = random_password.client_id.result } output "client_secret" { - value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"] + value = authentik_provider_oauth2.oauth2.client_secret } output "secret_client_id_name" { - value = kubectl_manifest.oauth2-secret.name + value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name } output "secret_client_secret_name" { value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name diff --git a/saml/outputs.tf b/saml/outputs.tf index 851a91b..54413ed 100644 --- a/saml/outputs.tf +++ b/saml/outputs.tf @@ -1,3 +1,27 @@ +output "app_id" { + value = "${local.app_slug}-saml" +} output "provider-id" { value = authentik_provider_saml.prj.id -} \ No newline at end of file +} +output "issuer" { + value = authentik_provider_saml.prj.issuer +} +output "url_slo_post" { + value = authentik_provider_saml.prj.url_slo_post +} +output "url_slo_redirect" { + value = authentik_provider_saml.prj.url_slo_redirect +} +output "url_sso_init" { + value = authentik_provider_saml.prj.url_sso_init +} +output "url_sso_post" { + value = authentik_provider_saml.prj.url_sso_post +} +output "url_sso_redirect" { + value = authentik_provider_saml.prj.url_sso_redirect +} +output "certificate_data" { + value = data.authentik_certificate_key_pair.generated.certificate_data +} diff --git a/saml/saml.tf b/saml/saml.tf index 7c0e9bf..a0f6bc1 100644 --- a/saml/saml.tf +++ b/saml/saml.tf @@ -1,6 +1,6 @@ locals{ app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}" - saml_labels = merge(var.labels, { + saml_labels = merge(var.labels, { "app.kubernetes.io/component" = "authentik-saml" }) } @@ -12,7 +12,7 @@ data "authentik_flow" "default-authentication-flow" { } data "authentik_property_mapping_saml" "saml_maps" { - managed_list = [ + managed_list = var.group_mapping==null?[ "goauthentik.io/providers/saml/email", "goauthentik.io/providers/saml/groups", "goauthentik.io/providers/saml/name", @@ -20,9 +20,24 @@ data "authentik_property_mapping_saml" "saml_maps" { "goauthentik.io/providers/saml/uid", "goauthentik.io/providers/saml/username", "goauthentik.io/providers/saml/ms-windowsaccountname", + ]:[ + "goauthentik.io/providers/saml/email", + "goauthentik.io/providers/saml/name", + "goauthentik.io/providers/saml/upn", + "goauthentik.io/providers/saml/uid", + "goauthentik.io/providers/saml/username", + "goauthentik.io/providers/saml/ms-windowsaccountname", ] } +resource "authentik_property_mapping_saml" "mapping" { + count = var.group_mapping==null?0:1 + friendly_name = "groups" + name = "${local.app_slug} Group mapping" + saml_name = "http://schemas.xmlsoap.org/claims/Group" + expression = var.group_mapping +} + data "authentik_property_mapping_saml" "saml_name" { managed = "goauthentik.io/providers/saml/username" } @@ -54,9 +69,11 @@ resource "authentik_provider_saml" "prj" { authentication_flow = data.authentik_flow.default-authentication-flow.id authorization_flow = data.authentik_flow.default-authorization-flow.id acs_url = "https://${var.dns_names[0]}/${var.acs_path}" - property_mappings = data.authentik_property_mapping_saml.saml_maps.ids + property_mappings = var.group_mapping==null?data.authentik_property_mapping_saml.saml_maps.ids:concat(data.authentik_property_mapping_saml.saml_maps.ids,[authentik_property_mapping_saml.mapping[0].id]) name_id_mapping = data.authentik_property_mapping_saml.saml_name.id signing_kp = data.authentik_certificate_key_pair.generated.id sp_binding = var.binding + audience = var.audience + issuer = var.saml_issuer } diff --git a/saml/variables.tf b/saml/variables.tf index 73e08ed..22417ca 100644 --- a/saml/variables.tf +++ b/saml/variables.tf @@ -17,6 +17,21 @@ variable "binding" { type = string default = "post" } +variable "namespace" { + type = string +} variable "labels" { type = map(string) } +variable "group_mapping" { + type = string + default = null +} +variable "audience" { + type = string + default = null +} +variable "saml_issuer" { + type = string + default = null +}