Reafacto OAuth2

Add roles mappings
Remove legacy groups

.gitignore

@@ -0,0 +1 @@
+.terraform*

ak-gatekeeper/ak_provider.tf

@@ -0,0 +1,17 @@
+data "authentik_flow" "proxy_authorization_flow" {
+  depends_on = [data.kubernetes_secret_v1.authentik]
+  slug       = "default-provider-authorization-implicit-consent"
+}
+data "authentik_flow" "default_invalidation_flow" {
+  depends_on = [data.kubernetes_secret_v1.authentik]
+  slug       = "default-provider-invalidation-flow"
+}
+
+resource "authentik_provider_proxy" "app_proxy_provider" {
+  name                  = "${local.app_slug}-provider"
+  external_host         = local.external_url
+  authorization_flow    = data.authentik_flow.proxy_authorization_flow.id
+  mode                  = "forward_single"
+  access_token_validity = var.access_token_validity
+  invalidation_flow     = data.authentik_flow.default_invalidation_flow.id
+}

ak-gatekeeper/common.tf

@@ -0,0 +1,15 @@
+data "kubernetes_secret_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  ak_gatekeeper_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "ak-gatekeeper"
+  })
+  authentik_url   = "http://authentik-authentik.${var.domain}-auth.svc"
+  authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token")
+  external_url    = format("https://%s", var.dns_name)
+}

ak-gatekeeper/middleware.tf

@@ -0,0 +1,15 @@
+resource "kubectl_manifest" "middleware" {
+  yaml_body = <<-EOF
+    apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+        name: "${local.app_slug}-gatekeeper"
+        namespace: "${var.namespace}"
+        labels: ${jsonencode(local.ak_gatekeeper_labels)}
+    spec:
+      forwardAuth:
+        address: http://ak-${var.domain}-proxy-outpost.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders: ${jsonencode(var.response_headers)}
+  EOF
+}

ak-gatekeeper/outpost.tf

@@ -0,0 +1,32 @@
+locals {
+  request_headers = {
+    "Content-Type" = "application/json"
+    Authorization  = "Bearer ${local.authentik_token}"
+  }
+  outposts = jsondecode(data.http.get_proxy_outpost.response_body).results
+  outpost_providers = local.outposts[0].providers
+  outpost_pk = local.outposts[0].pk
+}
+
+
+data "http" "get_proxy_outpost" {
+  depends_on      = [data.kubernetes_secret_v1.authentik]
+  url             = "${local.authentik_url}/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
+  method          = "GET"
+  request_headers = local.request_headers
+  lifecycle {
+    postcondition {
+      condition     = contains([200], self.status_code)
+      error_message = "Status code invalid, error: ${try(jsondecode(self.response_body).detail, "no-error")}"
+    }
+  }
+}
+
+
+resource "restapi_object" "proxy_outpost_binding" {
+  path = "/outposts/instances/${local.outpost_pk}/"
+  data = jsonencode({
+    name      = "${var.domain}-proxy-outpost"
+    providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
+  })
+}

ak-gatekeeper/outpost_read.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+CURL_OPTIONS="-sL"
+if [ ! -z ${INSECURE_CURL+x} ]; then
+ CURL_OPTIONS="${CURL_OPTIONS} -k"
+fi
+OUTPUT_FILE=$(mktemp)
+HTTP_CODE=$(curl $CURL_OPTIONS \
+  --output $OUTPUT_FILE \
+  --write-out "%{http_code}" \
+  -H "Accept: application/json" \
+  -H "Authorization: Bearer ${AK_TOKEN}" \
+  "${AK_BASEURL}/api/v3/outposts/instances/${AK_OUTPOST_ID}/")
+if [[ ${HTTP_CODE} -lt 200 || ${HTTP_CODE} -gt 299 ]] ; then
+  >&2 cat $OUTPUT_FILE
+  rm $OUTPUT_FILE
+  exit 2
+fi
+cat | jq -r ".results"
+rm $OUTPUT_FILE

ak-gatekeeper/outputs.tf

@@ -0,0 +1,6 @@
+output "provider_id" {
+  value = authentik_provider_proxy.app_proxy_provider.id
+}
+output "middleware" {
+  value = kubectl_manifest.middleware.name
+}

ak-gatekeeper/providers.tf

@@ -0,0 +1,25 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+    authentik = {
+      source  = "registry.terraform.io/goauthentik/authentik"
+      version = "2024.10.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 3.3.0"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = "~> 1.18.0"
+    }
+  }
+}

ak-gatekeeper/variables.tf

@@ -0,0 +1,64 @@
+variable "component" {
+  type = string
+}
+
+variable "instance" {
+  type = string
+}
+
+variable "domain" {
+  type = string
+}
+
+variable "namespace" {
+  type = string
+}
+
+variable "labels" {
+  type = map(string)
+}
+
+variable "dns_name" {
+  type = string
+}
+
+variable "access_token_validity" {
+  type    = string
+  default = "hours=10" // ;minutes=10
+}
+
+variable "response_headers" {
+  type = list(string)
+  description = "List of sended headers from authentik to web application"
+  default = [
+    "X-authentik-username",
+    "X-authentik-email",
+    "X-authentik-groups",
+    "X-authentik-name",
+    "X-authentik-uid",
+    "X-authentik-jwt",
+    "X-authentik-meta-jwks",
+    "X-authentik-meta-outpost",
+    "X-authentik-meta-provider",
+    "X-authentik-meta-app",
+    "X-authentik-meta-version",
+  ]
+  validation {
+    condition = alltrue(
+      [for header in var.response_headers : contains([
+        "X-authentik-username",
+        "X-authentik-email",
+        "X-authentik-groups",
+        "X-authentik-name",
+        "X-authentik-uid",
+        "X-authentik-jwt",
+        "X-authentik-meta-jwks",
+        "X-authentik-meta-outpost",
+        "X-authentik-meta-provider",
+        "X-authentik-meta-app",
+        "X-authentik-meta-version",
+      ], header)]
+    )
+    error_message = "Only som headers are allowed by authentik"
+  }
+}

application/providers.tf

@@ -1,12 +1,13 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "~> 1.14.0"
     }
     authentik = {
-      source  = "goauthentik/authentik"
+      source  = "registry.terraform.io/goauthentik/authentik"
-      version = "~> 2023.5.0"
+      version = "2024.10.0"
     }
   }
 }

forward/forward.tf

@@ -22,7 +22,7 @@ resource "authentik_provider_proxy" "forward" {
 
 data "http" "get_forward_outpost" {
   depends_on      = [authentik_provider_proxy.forward]
-  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
+  url             = "http://authentik-authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
   method          = "GET"
   request_headers = var.request_headers
   lifecycle {

ldap/ldap.tf

@@ -6,7 +6,7 @@ locals {
   base_dn                = format("dc=%s", join(",dc=", split(".", var.dns_name)))
   base_group_dn          = format("ou=groups,%s", local.base_dn)
   base_user_dn           = format("ou=users,%s", local.base_dn)
-  authentik_base_url     = "http://authentik.${var.domain}-auth.svc"
+  authentik_base_url     = "http://authentik-authentik.${var.domain}-auth.svc"
   ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
   ldap_outpost_pk        = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
 

oauth2/oauth2.tf

@@ -1,25 +1,51 @@
 locals {
-  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  main_group = format("kydah-%s", local.app_slug)
   oauth2_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "authentik-oauth2"
   })
+  cert_signing = var.cert_sign_secret_name != ""
+  signing_id   = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
 }
 
-resource "random_password" "client_id" {
+resource "random_uuid" "client_id" {
-  length  = 32
-  special = false
 }
 
+# resource "kubectl_manifest" "secret_gen" {
+#   yaml_body = <<-EOF
+#     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+#     kind: "StringSecret"
+#     metadata:
+#       name: "${local.app_slug}-oauth2"
+#       namespace: "${var.namespace}"
+#       labels: ${jsonencode(local.oauth2_labels)}
+#       ownerReferences: ${jsonencode(var.owner_references)}
+#     spec:
+#       forceRegenerate: false
+#       fields:
+#       - fieldName: "client_id"
+#         length: "32"
+#   EOF
+# }
+# data "kubernetes_secret_v1" "secret_gen" {
+#   metadata {
+#     name      = kubectl_manifest.secret_gen.name
+#     namespace = var.namespace
+#   }
+# }
 data "authentik_certificate_key_pair" "ca" {
   name = "authentik Self-signed Certificate"
 }
 
-data "authentik_scope_mapping" "oauth2" {
+resource "authentik_property_mapping_provider_scope" "app_scope" {
-  managed_list = [
+  count      = var.scope_attributes != "" ? 1 : 0
-    "goauthentik.io/providers/oauth2/scope-email",
+  name       = local.app_slug
-    "goauthentik.io/providers/oauth2/scope-openid",
+  scope_name = local.app_slug
-    "goauthentik.io/providers/oauth2/scope-profile"
+  expression = var.scope_attributes
-  ]
+}
+
+data "authentik_property_mapping_provider_scope" "oauth2" {
+  managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
 }
 data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
@@ -27,16 +53,62 @@ data "authentik_flow" "default_authorization_flow" {
 data "authentik_flow" "default_authentication_flow" {
   slug = "default-authentication-flow"
 }
+data "authentik_flow" "default_invalidation_flow" {
+  slug = "default-provider-invalidation-flow"
+}
+
+resource "authentik_group" "app_group" {
+  name       = local.main_group
+  attributes = jsonencode({
+    "${local.app_slug}" = {
+      "kydah_instance"  = var.instance
+      "kydah_component" = var.component
+    }
+  })
+}
+
+resource "authentik_group" "sub_groups" {
+  for_each = var.group_mapping
+  name     = format("%s-%s", local.main_group, each.key)
+  parent   = authentik_group.app_group.id
+  attributes = jsonencode({
+    "${local.app_slug}" = {
+      "kydah_instance"  = var.instance
+      "kydah_component" = var.component
+      "kydah_app_group" = each.value
+    }
+  })
+}
+
+data "kubernetes_secret_v1" "signing_cert" {
+  count = var.cert_sign_secret_name != "" ? 1 : 0
+  metadata {
+    name      = var.cert_sign_secret_name
+    namespace = var.namespace
+  }
+}
+
+resource "authentik_certificate_key_pair" "name" {
+  count            = local.cert_signing ? 1 : 0
+  name             = "${local.app_slug} Signing"
+  certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"]
+  key_data         = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"]
+}
 
 resource "authentik_provider_oauth2" "oauth2" {
+  depends_on          = [authentik_property_mapping_provider_scope.app_scope]
   name                = local.app_slug
-  client_id           = random_password.client_id.result
+  client_id           = random_uuid.client_id.result
   authentication_flow = data.authentik_flow.default_authentication_flow.id
   authorization_flow  = data.authentik_flow.default_authorization_flow.id
-  client_type         = "confidential"
+  invalidation_flow   = data.authentik_flow.default_invalidation_flow.id
+  client_type         = var.client_type
   sub_mode            = "user_username"
-  signing_key         = data.authentik_certificate_key_pair.ca.id
+  signing_key         = local.signing_id
-  property_mappings   = data.authentik_scope_mapping.oauth2.ids
+  property_mappings = concat(
+    data.authentik_property_mapping_provider_scope.oauth2.ids,
+    var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
+  )
   redirect_uris = [
     "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
   ]
@@ -49,15 +121,32 @@ data "kubernetes_ingress_v1" "authentik" {
   }
 }
 
-resource "kubernetes_secret" "oauth2_client_secret" {
+resource "kubectl_manifest" "oauth2_client_secret" {
-  metadata {
+  # force_new = true
-    name      = "${local.app_slug}-oauth2"
+  yaml_body = <<-EOF
-    namespace = var.namespace
+    apiVersion: v1
-    labels    = local.oauth2_labels
+    kind: Secret
-  }
+    metadata:
-  data = {
+      name: "${local.app_slug}-oauth2"
-    oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
+      namespace: "${var.namespace}"
-    client_id     = random_password.client_id.result
+      labels: ${jsonencode(local.oauth2_labels)}
-    client_secret = authentik_provider_oauth2.oauth2.client_secret
+      ownerReferences: ${jsonencode(var.owner_references)}
-  }
+    data:
+      oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
+      client_id: "${base64encode(random_uuid.client_id.result)}"
+      client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
+  EOF
 }
+
+# resource "kubernetes_secret" "oauth2_client_secret" {
+#   metadata {
+#     name      = "${local.app_slug}-oauth2"
+#     namespace = var.namespace
+#     labels    = local.oauth2_labels
+#   }
+#   data = {
+#     oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
+#     client_id     = data.kubernetes_secret_v1.secret_gen.data["client_id"]
+#     client_secret = authentik_provider_oauth2.oauth2.client_secret
+#   }
+# }

oauth2/outputs.tf

@@ -23,7 +23,7 @@ output "sso_token_url" {
 }
 
 output "client_id" {
-  value = random_password.client_id.result
+  value = random_uuid.client_id.result
 }
 
 output "client_secret" {
@@ -31,6 +31,6 @@ output "client_secret" {
 }
 
 output "oauth2_secret_name" {
-  value = kubernetes_secret.oauth2_client_secret.metadata[0].name
+  value = kubectl_manifest.oauth2_client_secret.name
 }
 

oauth2/providers.tf

@@ -1,5 +1,6 @@
 
 terraform {
+  required_version = ">= 1.0"
   required_providers {
     kubernetes = {
       source  = "hashicorp/kubernetes"
@@ -10,8 +11,12 @@ terraform {
       version = "~> 1.14.0"
     }
     authentik = {
-      source  = "goauthentik/authentik"
+      source  = "registry.terraform.io/goauthentik/authentik"
-      version = "~> 2023.5.0"
+      version = "2024.10.0"
+    }
+    random = {
+      source = "hashicorp/random"
+      version = "3.6.3"
     }
   }
 }

oauth2/variables.tf

@@ -20,3 +20,41 @@ variable "redirect_path" {
   type    = string
   default = ""
 }
+variable "group_mapping" {
+  type = map(string)
+  default = {}
+  description = "Group mapping where key is authentik suffix group name and value is the application group name"
+}
+variable "owner_references" {
+  type = list(object({}))
+  description = "Adding owner references"
+  default = []
+}
+variable "scopes" {
+  type = list(string)
+  description = "List of default scope allowed"
+  default = [
+    "scope-email",
+    "scope-openid",
+    "scope-profile",
+  ]
+}
+variable "scope_attributes" {
+  type = string
+  description = "Authentik expression for scope mapping"
+  default = ""
+}
+variable "client_type" {
+  type = string
+  description = "OAuth client type confidential / public(PKCE)"
+  default = "confidential"
+  validation {
+    condition     = contains(["confidential", "public"], var.client_type)
+    error_message = "Only empty confidential or public is allowed"
+  }
+}
+variable "cert_sign_secret_name" {
+  type = string
+  description = "The name of the secret for signing JWT (if empty use authentik default)"
+  default = ""
+}

postgresql/providers.tf

@@ -1,5 +1,10 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "~> 1.14.0"

postgresql/variables.tf

@@ -25,21 +25,25 @@ variable "backups" {
     "use_barman"  = false
   }
   type = object({
-    enable     = optional(bool),
+    enable     = optional(bool, false),
-    endpoint   = optional(string),
+    endpoint   = optional(string, ""),
-    key_id_key = optional(string),
+    key_id_key = optional(string, "s3-id"),
-    restic_key = optional(string),
+    restic_key = optional(string, "bck-password"),
     schedule = optional(object({
-      db = optional(string),
+      db = string,
-    })),
+    }), { db = "30 3 * * *" }),
-    secret_key  = optional(string),
+    secret_key  = optional(string, "s3-secret"),
-    secret_name = optional(string),
+    secret_name = optional(string, "backup-settings"),
-    use_barman  = optional(bool)
+    use_barman  = optional(bool, false)
   })
 }
 variable "images" {
   type = object({
-    postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })),
+    postgresql = optional(object({
+      registry = optional(string),
+      repository = optional(string),
+      tag = optional(number)
+    })),
   })
   default = {
     "postgresql" = {

pvc/providers.tf

@@ -1,8 +1,13 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
-    kubectl = {
+    kubernetes = {
-      source  = "gavinbunney/kubectl"
+      source  = "hashicorp/kubernetes"
-      version = "~> 1.14.0"
+      version = "~> 2.20.0"
     }
+    # kubectl = {
+    #   source  = "gavinbunney/kubectl"
+    #   version = "~> 1.14.0"
+    # }
   }
 }

pvc/pvc.tf

@@ -3,30 +3,60 @@ locals {
   pvc_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "pvc"
   })
-  pvc_spec = merge({
+  pvc_annotations = {
-    "accessModes" = [var.storage.access_mode]
+    "k8up.io/backup" = var.backup
-    "volumeMode"  = var.storage.type
+    "resize.kubesphere.io/storage_limit" = var.storage.max_size
-    "resources" = {
+  }
-      "requests" = {
+  # pvc_spec = merge({
-        "storage" = var.storage.size
+  #   "accessModes" = [var.storage.access_mode]
+  #   "volumeMode"  = var.storage.type
+  #   "resources" = {
+  #     "requests" = {
+  #       "storage" = var.storage.size
+  #     }
+  #   }
+  #   }, var.storage.class != "" ? {
+  #   "storageClassName" = var.storage.class
+  # } : {})
+}
+# resource "kubectl_manifest" "pvc" {
+#   ignore_fields = [
+#     "spec.resources.requests.storage",
+#     "spec.storageClassName",
+#   ]
+#   yaml_body = <<-EOF
+#     apiVersion: v1
+#     kind: PersistentVolumeClaim
+#     metadata:
+#       name: ${local.app_slug}
+#       namespace: "${var.namespace}"
+#       annotations:
+#         k8up.io/backup: "${var.backup}"
+#         resize.kubesphere.io/storage_limit: "${var.storage.max_size}"
+#       labels: ${jsonencode(local.pvc_labels)}
+#     spec: ${jsonencode(local.pvc_spec)}
+#   EOF
+# }
+resource "kubernetes_persistent_volume_claim_v1" "pvc" {
+  metadata {
+    name = local.app_slug
+    namespace = var.namespace
+    annotations = local.pvc_annotations
+    labels = local.pvc_labels
+  }
+  spec {
+    access_modes = [var.storage.access_mode]
+    resources {
+      requests = {
+        storage = var.storage.size
       }
     }
-    }, var.storage.class != "" ? {
+    storage_class_name = var.storage.class
-    "storageClassName" = var.storage.class
+  }
-  } : {})
+  lifecycle {
-}
+    ignore_changes = [
-resource "kubectl_manifest" "pvc" {
+      spec[0].resources[0].requests[0],
-  ignore_fields = ["spec.resources.requests.storage"]
+      spec[0].storage_class_name,
-  yaml_body = <<-EOF
+     ]
-    apiVersion: v1
+  }
-    kind: PersistentVolumeClaim
+}
-    metadata:
-      name: ${local.app_slug}
-      namespace: "${var.namespace}"
-      annotations:
-        k8up.io/backup: "${var.backup}"
-        resize.kubesphere.io/storage_limit: "${var.storage.max_size}
-      labels: ${jsonencode(local.pvc_labels)}
-    spec: ${jsonencode(local.pvc_spec)}
-  EOF
-}

pvc/variables.tf

@@ -12,19 +12,12 @@ variable "labels" {
 }
 variable "storage" {
   type = object({
-    access_mode = optional(string),
+    access_mode = optional(string, "ReadWriteOnce"),
-    class       = optional(string),
+    class       = optional(string, ""),
-    size        = optional(string),
+    size        = optional(string, "2Gi"),
-    max_size    = optional(string),
+    max_size    = optional(string, "10Gi"),
-    type        = optional(string)
+    type        = optional(string, "Filesystem")
   })
-  default = {
-    "access_mode" = "ReadWriteOnce"
-    "class"       = ""
-    "size"        = "2Gi"
-    "max_size"    = "10Gi"
-    "type"        = "Filesystem"
-  }
 }
 
 variable "backup" {

redis/outputs.tf

@@ -1,5 +1,5 @@
 output "conn_string" {
-  value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
+  value = "tcp://${local.app_slug}-redis.${var.namespace}.svc:6379"
 }
 
 output "service" {

service/providers.tf

@@ -1,4 +1,5 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
     kubectl = {
       source  = "gavinbunney/kubectl"

service/svc.tf

@@ -66,6 +66,7 @@ resource "kubectl_manifest" "endpoint" {
       name: "${local.app_slug}"
       namespace: "${var.namespace}"
       labels: ${jsonencode(var.labels)}
+      ownerReferences: ${jsonencode(var.owner_references)}
     subsets:
       - addresses:
           - ip: ${var.target_host}

service/variables.tf

@@ -79,3 +79,9 @@ variable "lb_policy" {
     error_message = "Only Cluster or Local is allowed"
   }
 }
+
+variable "owner_references" {
+  type = list(object({}))
+  description = "Adding owner references"
+  default = []
+}