From e0baae6132c7abe76d28799f71cbde825bdac12c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Wed, 10 Jan 2024 13:23:08 +0100 Subject: [PATCH] first commit --- application/application.tf | 46 ++++++++++++++++ application/outputs.tf | 7 +++ application/providers.tf | 8 +++ application/variables.tf | 28 ++++++++++ forward/forward.tf | 104 +++++++++++++++++++++++++++++++++++++ forward/outputs.tf | 7 +++ forward/providers.tf | 20 +++++++ forward/variables.tf | 33 ++++++++++++ ingress/ingress.tf | 70 +++++++++++++++++++++++++ ingress/providers.tf | 9 ++++ ingress/variables.tf | 46 ++++++++++++++++ mysql/mysql.tf | 94 +++++++++++++++++++++++++++++++++ mysql/providers.tf | 12 +++++ mysql/variables.tf | 18 +++++++ oauth2/oauth2.tf | 73 ++++++++++++++++++++++++++ oauth2/outputs.tf | 7 +++ oauth2/providers.tf | 17 ++++++ oauth2/variables.tf | 22 ++++++++ saml/outputs.tf | 3 ++ saml/providers.tf | 12 +++++ saml/saml.tf | 56 ++++++++++++++++++++ saml/variables.tf | 19 +++++++ service/providers.tf | 8 +++ service/svc.tf | 22 ++++++++ service/variables.tf | 24 +++++++++ 25 files changed, 765 insertions(+) create mode 100644 application/application.tf create mode 100644 application/outputs.tf create mode 100644 application/providers.tf create mode 100644 application/variables.tf create mode 100644 forward/forward.tf create mode 100644 forward/outputs.tf create mode 100644 forward/providers.tf create mode 100644 forward/variables.tf create mode 100644 ingress/ingress.tf create mode 100644 ingress/providers.tf create mode 100644 ingress/variables.tf create mode 100644 mysql/mysql.tf create mode 100644 mysql/providers.tf create mode 100644 mysql/variables.tf create mode 100644 oauth2/oauth2.tf create mode 100644 oauth2/outputs.tf create mode 100644 oauth2/providers.tf create mode 100644 oauth2/variables.tf create mode 100644 saml/outputs.tf create mode 100644 saml/providers.tf create mode 100644 saml/saml.tf create mode 100644 saml/variables.tf create mode 100644 service/providers.tf create mode 100644 service/svc.tf create mode 100644 service/variables.tf diff --git a/application/application.tf b/application/application.tf new file mode 100644 index 0000000..29db640 --- /dev/null +++ b/application/application.tf @@ -0,0 +1,46 @@ +locals { + app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) + main_group = format("app-%s", local.app_name) +} +data "authentik_group" "akadmin" { + name = "authentik Admins" +} +resource "authentik_group" "groups" { + name = local.main_group + attributes = jsonencode({ "${local.app_name}" = true }) +} + +resource "authentik_group" "subgroup" { + count = length(var.sub_groups) + name = format("%s-%s", local.app_name, var.sub_groups[count.index]) + parent = authentik_group.groups.id +} + +resource "authentik_application" "prj_app" { + name = var.instance + slug = "${var.component}-${var.instance}" + group = var.app_group + protocol_provider = var.protocol_provider + backchannel_providers = var.backchannel_providers + meta_launch_url = format("https://%s", var.dns_name) + meta_icon = format("https://%s/%s", var.dns_name, var.icon) +} + +resource "authentik_policy_expression" "policy" { + name = local.main_group + expression = <<-EOF + attr = request.user.group_attributes() + return attr['${local.app_name}'] if '${local.app_name}' in attr else False + EOF +} + +resource "authentik_policy_binding" "prj_access_users" { + target = authentik_application.prj_app.uuid + policy = authentik_policy_expression.policy.id + order = 0 +} +resource "authentik_policy_binding" "prj_access_vynil" { + target = authentik_application.prj_app.uuid + group = data.authentik_group.akadmin.id + order = 1 +} diff --git a/application/outputs.tf b/application/outputs.tf new file mode 100644 index 0000000..e0f2d03 --- /dev/null +++ b/application/outputs.tf @@ -0,0 +1,7 @@ +output "application-id" { + value = authentik_application.prj_app.uuid +} + +output "policy-id" { + value = authentik_policy_expression.policy.id +} diff --git a/application/providers.tf b/application/providers.tf new file mode 100644 index 0000000..77cbd53 --- /dev/null +++ b/application/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "~> 2023.5.0" + } + } +} diff --git a/application/variables.tf b/application/variables.tf new file mode 100644 index 0000000..3a6d05b --- /dev/null +++ b/application/variables.tf @@ -0,0 +1,28 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "icon" { + type = string +} +variable "app_group" { + type = string +} +variable "protocol_provider" { + type = number + default = null +} +variable "dns_name" { + type = string +} +variable "sub_groups" { + type = list(string) + default = [] +} + +variable "backchannel_providers" { + type = list(number) + default = null +} diff --git a/forward/forward.tf b/forward/forward.tf new file mode 100644 index 0000000..2a051b8 --- /dev/null +++ b/forward/forward.tf @@ -0,0 +1,104 @@ +locals { + forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers + forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk + app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) + main_group = format("app-%s", local.app_name) + external_url = format("https://%s", var.dns_names[0]) + rules_icons = [for v in var.dns_names : { + "host" = "${v}" + "http" = { + "paths" = [{ + "backend" = { + "service" = var.service + } + "path" = "/${var.icon}" + "pathType" = "Prefix" + }] + } + }] +} + +resource "kubectl_manifest" "prj_ingress_icon" { + force_conflicts = true + yaml_body = <<-EOF + apiVersion: "networking.k8s.io/v1" + kind: "Ingress" + metadata: + name: "${var.instance}-icons" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + ingressClassName: "${var.ingress_class}" + rules: ${jsonencode(local.rules_icons)} + tls: + - hosts: ${jsonencode(var.dns_names)} + secretName: "${var.instance}-cert" + EOF +} + +data "authentik_flow" "default-authorization-flow" { + slug = "default-provider-authorization-implicit-consent" +} + +resource "authentik_provider_proxy" "prj_forward" { + name = local.app_name + external_host = local.external_url + authorization_flow = data.authentik_flow.default-authorization-flow.id + mode = "forward_single" + access_token_validity = var.access_token_validity +} + +data "http" "get_forward_outpost" { + depends_on = [authentik_provider_proxy.prj_forward] + url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward" + method = "GET" + request_headers = var.request_headers + lifecycle { + postcondition { + condition = contains([200], self.status_code) + error_message = "Status code invalid" + } + } +} + +resource "restapi_object" "forward_outpost_binding" { + path = "/outposts/instances/${local.forward_outpost_pk}/" + data = jsonencode({ + name = "forward" + providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id]) + }) +} + +resource "kubectl_manifest" "prj_middleware" { + yaml_body = <<-EOF + apiVersion: traefik.containo.us/v1alpha1 + kind: Middleware + metadata: + name: "forward-${local.app_name}" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + forwardAuth: + address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-email + - X-authentik-groups + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + EOF +} + +data "kubernetes_ingress_v1" "authentik" { + metadata { + name = "authentik" + namespace = "${var.domain}-auth" + } +} diff --git a/forward/outputs.tf b/forward/outputs.tf new file mode 100644 index 0000000..dc2ecfc --- /dev/null +++ b/forward/outputs.tf @@ -0,0 +1,7 @@ +output "provider-id" { + value = authentik_provider_proxy.prj_forward.id +} + +output "sso_logout" { + value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${var.component}-${var.instance}/end-session/" +} diff --git a/forward/providers.tf b/forward/providers.tf new file mode 100644 index 0000000..92c0b09 --- /dev/null +++ b/forward/providers.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + authentik = { + source = "goauthentik/authentik" + version = "~> 2023.5.0" + } + http = { + source = "hashicorp/http" + version = "~> 3.3.0" + } + restapi = { + source = "Mastercard/restapi" + version = "~> 1.18.0" + } + } +} diff --git a/forward/variables.tf b/forward/variables.tf new file mode 100644 index 0000000..8a257af --- /dev/null +++ b/forward/variables.tf @@ -0,0 +1,33 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "icon" { + type = string +} +variable "domain" { + type = string +} +variable "namespace" { + type = string +} +variable "ingress_class" { + type = string +} +variable "labels" { + type = map(string) +} +variable "dns_names" { + type = list(string) +} +variable "access_token_validity" { + type = string + default = "hours=10" // ;minutes=10 +} +variable "service" { +} +variable "request_headers" { + type = map(string) +} diff --git a/ingress/ingress.tf b/ingress/ingress.tf new file mode 100644 index 0000000..9b54ce3 --- /dev/null +++ b/ingress/ingress.tf @@ -0,0 +1,70 @@ + +locals { + rules = [for v in var.dns_names : { + "host" = "${v}" + "http" = { + "paths" = [for idx, svc in var.services : { + "backend" = { + "service" = svc + } + "path" = "/${var.sub_paths[idx]}" + "pathType" = "Prefix" + }] + } + }] +} + +resource "kubectl_manifest" "prj_certificate" { + count = var.create_cert ? 1 : 0 + yaml_body = <<-EOF + apiVersion: "cert-manager.io/v1" + kind: "Certificate" + metadata: + name: "${var.instance}${var.component == "" ? "" : "-"}${var.component}" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + secretName: "${var.instance}${var.component == "" ? "" : "-"}${var.component}-cert" + dnsNames: ${jsonencode(var.dns_names)} + issuerRef: + name: "${var.issuer}" + kind: "ClusterIssuer" + group: "cert-manager.io" + EOF +} + +resource "kubectl_manifest" "prj_https_redirect" { + count = var.create_redirect || var.component == "" ? 1 : 0 + yaml_body = <<-EOF + apiVersion: "traefik.containo.us/v1alpha1" + kind: "Middleware" + metadata: + name: "${var.instance}-https" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + redirectScheme: + scheme: "https" + permanent: true + EOF +} + +resource "kubectl_manifest" "prj_ingress" { + force_conflicts = true + yaml_body = <<-EOF + apiVersion: "networking.k8s.io/v1" + kind: "Ingress" + metadata: + name: "${var.instance}${var.component == "" ? "" : "-${var.component}"}" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + annotations: + "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in concat(["${var.instance}-https"], var.middlewares) : format("%s-%s@kubernetescrd", var.namespace, m)])}" + spec: + ingressClassName: "${var.ingress_class}" + rules: ${jsonencode(local.rules)} + tls: + - hosts: ${jsonencode(var.dns_names)} + secretName: "${var.instance}${var.secret_component != "" ? "-${var.secret_component}" : var.component == "" ? "" : "-${var.component}"}-cert" + EOF +} diff --git a/ingress/providers.tf b/ingress/providers.tf new file mode 100644 index 0000000..d959f39 --- /dev/null +++ b/ingress/providers.tf @@ -0,0 +1,9 @@ + +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + } +} diff --git a/ingress/variables.tf b/ingress/variables.tf new file mode 100644 index 0000000..b1f21b1 --- /dev/null +++ b/ingress/variables.tf @@ -0,0 +1,46 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "namespace" { + type = string +} +variable "issuer" { + type = string +} +variable "ingress_class" { + type = string +} + +variable "labels" { + type = map(string) +} +variable "dns_names" { + type = list(string) +} +variable "middlewares" { + type = list(string) + default = [] +} +variable "services" { + type = list(any) +} + +variable "create_redirect" { + type = bool + default = false +} +variable "create_cert" { + type = bool + default = true +} +variable "sub_paths" { + type = list(string) + default = [""] +} +variable "secret_component" { + type = string + default = "" +} diff --git a/mysql/mysql.tf b/mysql/mysql.tf new file mode 100644 index 0000000..e255552 --- /dev/null +++ b/mysql/mysql.tf @@ -0,0 +1,94 @@ +locals { + mysql_host = "${var.instance}-${var.component}-db.${var.namespace}.svc" + mysql_username = data.kubernetes_secret_v1.prj_mysql_secret.data["rootUser"] + mysql_password = data.kubernetes_secret_v1.prj_mysql_secret.data["rootPassword"] +} + +resource "kubectl_manifest" "prj_mysql_secret" { + yaml_body = <<-EOF + apiVersion: "secretgenerator.mittwald.de/v1alpha1" + kind: "StringSecret" + metadata: + name: "${var.instance}-${var.component}-db" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + forceRegenerate: false + data: + rootUser: "root-${var.instance}" + rootHost: "%" + username: "${var.instance}" + userHost: "%" + fields: + - fieldName: "rootPassword" + length: "32" + - fieldName: "password" + length: "32" + EOF +} + +resource "kubectl_manifest" "prj_mysql" { + depends_on = [kubectl_manifest.prj_mysql_secret] + yaml_body = <<-EOF + apiVersion: mysql.oracle.com/v2 + kind: InnoDBCluster + metadata: + name: "${var.instance}-${var.component}-db" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + secretName: ${kubectl_manifest.prj_mysql_secret.name} + tlsUseSelfSigned: true + # tlsSecretName: "${var.instance}-db-cert" + instances: 1 + router: + instances: 1 + edition: community + imagePullPolicy: IfNotPresent + datadirVolumeClaimTemplate: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "${var.storage}" + EOF +} + +resource "time_sleep" "wait_mysql_ready" { + depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql] + create_duration = "45s" +} + +data "kubernetes_secret_v1" "prj_mysql_secret" { + depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready] + metadata { + name = "${var.instance}-${var.component}-db" + namespace = var.namespace + } +} + +resource "mysql_database" "app" { + depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready] + name = var.database +} + +resource "mysql_user" "app_user" { + depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready] + host = data.kubernetes_secret_v1.prj_mysql_secret.data["userHost"] + user = data.kubernetes_secret_v1.prj_mysql_secret.data["username"] + plaintext_password = data.kubernetes_secret_v1.prj_mysql_secret.data["password"] +} + +resource "mysql_grant" "app_user_grant" { + depends_on = [ + kubectl_manifest.prj_mysql_secret, + kubectl_manifest.prj_mysql, + time_sleep.wait_mysql_ready, + mysql_database.app, + mysql_user.app_user + ] + user = mysql_user.app_user.user + host = mysql_user.app_user.host + database = mysql_database.app.name + privileges = ["ALL PRIVILEGES"] +} diff --git a/mysql/providers.tf b/mysql/providers.tf new file mode 100644 index 0000000..2f82f2d --- /dev/null +++ b/mysql/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + mysql = { + source = "TakatoHano/mysql" + version = "1.2.1" + } + } +} \ No newline at end of file diff --git a/mysql/variables.tf b/mysql/variables.tf new file mode 100644 index 0000000..2cd8632 --- /dev/null +++ b/mysql/variables.tf @@ -0,0 +1,18 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "namespace" { + type = string +} +variable "labels" { + type = map(string) +} +variable "storage" { + type = string +} +variable "database" { + type = string +} diff --git a/oauth2/oauth2.tf b/oauth2/oauth2.tf new file mode 100644 index 0000000..99fa9f0 --- /dev/null +++ b/oauth2/oauth2.tf @@ -0,0 +1,73 @@ +resource "kubectl_manifest" "oauth2-secret" { + ignore_fields = ["metadata.annotations"] + yaml_body = <<-EOF + apiVersion: "secretgenerator.mittwald.de/v1alpha1" + kind: "StringSecret" + metadata: + name: "${var.component}-${var.instance}-id" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + forceRegenerate: false + fields: + - fieldName: "client-id" + length: "32" + EOF +} +data "kubernetes_secret_v1" "oauth2-client-id" { + depends_on = [kubectl_manifest.oauth2-secret] + metadata { + name = kubectl_manifest.oauth2-secret.name + namespace = var.namespace + } +} + +data "authentik_certificate_key_pair" "ca" { + name = "authentik Self-signed Certificate" +} + +data "authentik_scope_mapping" "oauth2" { + managed_list = [ + "goauthentik.io/providers/oauth2/scope-email", + "goauthentik.io/providers/oauth2/scope-openid", + "goauthentik.io/providers/oauth2/scope-profile" + ] +} +data "authentik_flow" "default-authorization-flow" { + slug = "default-provider-authorization-implicit-consent" +} +data "authentik_flow" "default-authentication-flow" { + slug = "default-authentication-flow" +} + +resource "authentik_provider_oauth2" "oauth2" { + name = "${var.component}-${var.instance}" + client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] + authentication_flow = data.authentik_flow.default-authentication-flow.id + authorization_flow = data.authentik_flow.default-authorization-flow.id + client_type = "confidential" + sub_mode = "user_username" + signing_key = data.authentik_certificate_key_pair.ca.id + property_mappings = data.authentik_scope_mapping.oauth2.ids + redirect_uris = [ + "https://${var.dns_name}/${var.redirect_path}" + ] +} + +resource "kubernetes_secret_v1" "oauth2-client-secret" { + metadata { + name = "${var.component}-${var.instance}-secret" + namespace = var.namespace + labels = var.labels + } + data = { + client-secret = authentik_provider_oauth2.oauth2.client_secret + } +} + +data "kubernetes_ingress_v1" "authentik" { + metadata { + name = "authentik" + namespace = "${var.domain}-auth" + } +} diff --git a/oauth2/outputs.tf b/oauth2/outputs.tf new file mode 100644 index 0000000..79792c3 --- /dev/null +++ b/oauth2/outputs.tf @@ -0,0 +1,7 @@ +output "provider-id" { + value = authentik_provider_oauth2.oauth2.id +} + +output "sso_configuration_url" { + value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}" +} diff --git a/oauth2/providers.tf b/oauth2/providers.tf new file mode 100644 index 0000000..9424f6f --- /dev/null +++ b/oauth2/providers.tf @@ -0,0 +1,17 @@ + +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.20.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + authentik = { + source = "goauthentik/authentik" + version = "~> 2023.5.0" + } + } +} diff --git a/oauth2/variables.tf b/oauth2/variables.tf new file mode 100644 index 0000000..176185b --- /dev/null +++ b/oauth2/variables.tf @@ -0,0 +1,22 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "namespace" { + type = string +} +variable "domain" { + type = string +} +variable "labels" { + type = map(string) +} +variable "dns_name" { + type = string +} +variable "redirect_path" { + type = string + default = "" +} diff --git a/saml/outputs.tf b/saml/outputs.tf new file mode 100644 index 0000000..851a91b --- /dev/null +++ b/saml/outputs.tf @@ -0,0 +1,3 @@ +output "provider-id" { + value = authentik_provider_saml.prj.id +} \ No newline at end of file diff --git a/saml/providers.tf b/saml/providers.tf new file mode 100644 index 0000000..2e19c92 --- /dev/null +++ b/saml/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + authentik = { + source = "goauthentik/authentik" + version = "~> 2023.5.0" + } + } +} diff --git a/saml/saml.tf b/saml/saml.tf new file mode 100644 index 0000000..3168f04 --- /dev/null +++ b/saml/saml.tf @@ -0,0 +1,56 @@ +data "authentik_flow" "default-authorization-flow" { + slug = "default-provider-authorization-implicit-consent" +} +data "authentik_flow" "default-authentication-flow" { + slug = "default-authentication-flow" +} + +data "authentik_property_mapping_saml" "saml_maps" { + managed_list = [ + "goauthentik.io/providers/saml/email", + "goauthentik.io/providers/saml/groups", + "goauthentik.io/providers/saml/name", + "goauthentik.io/providers/saml/upn", + "goauthentik.io/providers/saml/uid", + "goauthentik.io/providers/saml/username", + "goauthentik.io/providers/saml/ms-windowsaccountname", + ] +} + +data "authentik_property_mapping_saml" "saml_name" { + managed = "goauthentik.io/providers/saml/username" +} + +data "authentik_certificate_key_pair" "generated" { + name = "authentik Self-signed Certificate" +} + +resource "kubectl_manifest" "saml_certificate" { + yaml_body = <<-EOF + apiVersion: "cert-manager.io/v1" + kind: "Certificate" + metadata: + name: "${var.instance}-${var.component}-saml" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + secretName: "${var.instance}-${var.component}-saml" + dnsNames: ${jsonencode(var.dns_names)} + issuerRef: + name: "self-sign" + kind: "ClusterIssuer" + group: "cert-manager.io" + EOF +} + +resource "authentik_provider_saml" "prj" { + name = "${var.component}-${var.instance}-saml" + authentication_flow = data.authentik_flow.default-authentication-flow.id + authorization_flow = data.authentik_flow.default-authorization-flow.id + acs_url = "https://${var.dns_names[0]}/${var.acs_path}" + property_mappings = data.authentik_property_mapping_saml.saml_maps.ids + name_id_mapping = data.authentik_property_mapping_saml.saml_name.id + signing_kp = data.authentik_certificate_key_pair.generated.id + sp_binding = var.binding +} + diff --git a/saml/variables.tf b/saml/variables.tf new file mode 100644 index 0000000..9607ccb --- /dev/null +++ b/saml/variables.tf @@ -0,0 +1,19 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "dns_names" { + type = list(string) +} +variable "acs_path" { + type = string +} +variable "binding" { + type = string + default = "post" +} +variable "labels" { + type = map(string) +} diff --git a/service/providers.tf b/service/providers.tf new file mode 100644 index 0000000..45aaada --- /dev/null +++ b/service/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + } +} diff --git a/service/svc.tf b/service/svc.tf new file mode 100644 index 0000000..563208d --- /dev/null +++ b/service/svc.tf @@ -0,0 +1,22 @@ +locals { + ports = [ for idx, target in var.targets : { + "name" = target + "port"= var.ports[idx] + "protocol"= var.protocols[idx] + "targetPort" = target + }] +} +resource "kubectl_manifest" "service" { + yaml_body = <<-EOF + apiVersion: v1 + kind: Service + metadata: + name: "${var.instance}-${var.component}" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + type: ClusterIP + ports: ${jsonencode(local.ports)} + selector: ${jsonencode(var.labels)} + EOF +} diff --git a/service/variables.tf b/service/variables.tf new file mode 100644 index 0000000..689d49b --- /dev/null +++ b/service/variables.tf @@ -0,0 +1,24 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "namespace" { + type = string +} +variable "labels" { + type = map(string) +} +variable "ports" { + type = list + default = [80] +} +variable "targets" { + type = list + default = ["http"] +} +variable "protocols" { + type = list + default = ["TCP"] +} \ No newline at end of file