Reafacto OAuth2

Add roles mappings Remove legacy groups
2024-12-27 16:38:12 +01:00
parent fa2a69c61e
commit e8d1c4e86a
6 changed files with 87 additions and 47 deletions
--- a/oauth2/oauth2.tf
+++ b/oauth2/oauth2.tf
@@ -1,5 +1,6 @@
 locals {
-  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  main_group = format("kydah-%s", local.app_slug)
  oauth2_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-oauth2"
  })
@@ -7,35 +8,44 @@ locals {
  signing_id   = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
 }

-resource "kubectl_manifest" "secret_gen" {
-  yaml_body = <<-EOF
-    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-    kind: "StringSecret"
-    metadata:
-      name: "${local.app_slug}-oauth2"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.oauth2_labels)}
-      ownerReferences: ${jsonencode(var.owner_references)}
-    spec:
-      forceRegenerate: false
-      fields:
-      - fieldName: "client_id"
-        length: "32"
-  EOF
-}
-data "kubernetes_secret_v1" "secret_gen" {
-  metadata {
-    name      = kubectl_manifest.secret_gen.name
-    namespace = var.namespace
-  }
+resource "random_uuid" "client_id" {
 }
+
+# resource "kubectl_manifest" "secret_gen" {
+#   yaml_body = <<-EOF
+#     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+#     kind: "StringSecret"
+#     metadata:
+#       name: "${local.app_slug}-oauth2"
+#       namespace: "${var.namespace}"
+#       labels: ${jsonencode(local.oauth2_labels)}
+#       ownerReferences: ${jsonencode(var.owner_references)}
+#     spec:
+#       forceRegenerate: false
+#       fields:
+#       - fieldName: "client_id"
+#         length: "32"
+#   EOF
+# }
+# data "kubernetes_secret_v1" "secret_gen" {
+#   metadata {
+#     name      = kubectl_manifest.secret_gen.name
+#     namespace = var.namespace
+#   }
+# }
 data "authentik_certificate_key_pair" "ca" {
  name = "authentik Self-signed Certificate"
 }
+
+resource "authentik_property_mapping_provider_scope" "app_scope" {
+  count      = var.scope_attributes != "" ? 1 : 0
+  name       = local.app_slug
+  scope_name = local.app_slug
+  expression = var.scope_attributes
+}
+
 data "authentik_property_mapping_provider_scope" "oauth2" {
-  managed_list = [
-    for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"
-  ]
+  managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
 }
 data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
@@ -48,17 +58,25 @@ data "authentik_flow" "default_invalidation_flow" {
 }

 resource "authentik_group" "app_group" {
-  name       = local.app_slug
-  attributes = jsonencode({ "app_slug" = local.app_slug })
+  name       = local.main_group
+  attributes = jsonencode({
+    "${local.app_slug}" = {
+      "kydah_instance"  = var.instance
+      "kydah_component" = var.component
+    }
+  })
 }

-resource "authentik_group" "groups" {
+resource "authentik_group" "sub_groups" {
  for_each = var.group_mapping
-  name     = each.key
+  name     = format("%s-%s", local.main_group, each.key)
  parent   = authentik_group.app_group.id
  attributes = jsonencode({
-    "app_slug"       = local.app_slug
-    "gen_group_name" = each.value
+    "${local.app_slug}" = {
+      "kydah_instance"  = var.instance
+      "kydah_component" = var.component
+      "kydah_app_group" = each.value
+    }
  })
 }

@@ -78,15 +96,19 @@ resource "authentik_certificate_key_pair" "name" {
 }

 resource "authentik_provider_oauth2" "oauth2" {
+  depends_on          = [authentik_property_mapping_provider_scope.app_scope]
  name                = local.app_slug
-  client_id           = data.kubernetes_secret_v1.secret_gen.data.client_id
+  client_id           = random_uuid.client_id.result
  authentication_flow = data.authentik_flow.default_authentication_flow.id
  authorization_flow  = data.authentik_flow.default_authorization_flow.id
  invalidation_flow   = data.authentik_flow.default_invalidation_flow.id
  client_type         = var.client_type
  sub_mode            = "user_username"
  signing_key         = local.signing_id
-  property_mappings   = data.authentik_property_mapping_provider_scope.oauth2.ids
+  property_mappings = concat(
+    data.authentik_property_mapping_provider_scope.oauth2.ids,
+    var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
+  )
  redirect_uris = [
    "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
  ]
@@ -100,7 +122,7 @@ data "kubernetes_ingress_v1" "authentik" {
 }

 resource "kubectl_manifest" "oauth2_client_secret" {
-  force_new = true
+  # force_new = true
  yaml_body = <<-EOF
    apiVersion: v1
    kind: Secret
@@ -111,7 +133,7 @@ resource "kubectl_manifest" "oauth2_client_secret" {
      ownerReferences: ${jsonencode(var.owner_references)}
    data:
      oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
-      client_id: "${base64encode(data.kubernetes_secret_v1.secret_gen.data.client_id)}"
+      client_id: "${base64encode(random_uuid.client_id.result)}"
      client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
  EOF
 }