No more sercretString dans oauth2

application/application.tf

@@ -7,13 +7,14 @@ data "authentik_group" "akadmin" {
 }
 resource "authentik_group" "groups" {
   name       = local.main_group
-  attributes = jsonencode({ "${local.app_name}" = true })
+  attributes = jsonencode({ "${local.app_name}" = var.attributes })
 }
 
 resource "authentik_group" "subgroup" {
   count  = length(var.sub_groups)
   name   = format("%s-%s", local.main_group, var.sub_groups[count.index])
   parent = authentik_group.groups.id
+  attributes = length(var.sub_groups_attributes)>count.index?jsonencode({ "${local.app_name}" = var.sub_groups_attributes[count.index] }):jsonencode({ "${local.app_name}" = var.attributes })
 }
 
 resource "authentik_application" "prj_app" {
@@ -30,7 +31,7 @@ resource "authentik_policy_expression" "policy" {
   name       = local.main_group
   expression = <<-EOF
     attr = request.user.group_attributes()
-    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
+    return True if '${local.app_name}' in attr else False
   EOF
 }
 

application/variables.tf

@@ -26,3 +26,9 @@ variable "backchannel_providers" {
   type    = list(number)
   default = null
 }
+variable "attributes" {
+  default = {enable = true}
+}
+variable "sub_groups_attributes" {
+  default = []
+}

oauth2/oauth2.tf

@@ -4,29 +4,9 @@ locals {
     "app.kubernetes.io/component" = "authentik-oauth2"
   })
 }
-resource "kubectl_manifest" "oauth2-secret" {
-  ignore_fields = ["metadata.annotations"]
-  yaml_body     = <<-EOF
-    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-    kind: "StringSecret"
-    metadata:
-      name: "${local.app_slug}-id"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.oauth2_labels)}
-    spec:
-      forceRegenerate: false
-      fields:
-      - fieldName: "client-id"
-        length: "32"
-  EOF
-}
-data "kubernetes_secret_v1" "oauth2-client-id" {
-  depends_on = [kubectl_manifest.oauth2-secret]
-  metadata {
-    name      = kubectl_manifest.oauth2-secret.name
-    namespace = var.namespace
-    labels = local.oauth2_labels
-  }
+resource "random_password" "client_id" {
+  length           = 32
+  special          = false
 }
 
 data "authentik_certificate_key_pair" "ca" {
@@ -49,7 +29,7 @@ data "authentik_flow" "default-authentication-flow" {
 
 resource "authentik_provider_oauth2" "oauth2" {
   name                = "${local.app_slug}"
-  client_id           = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
+  client_id           = random_password.client_id.result
   authentication_flow = data.authentik_flow.default-authentication-flow.id
   authorization_flow  = data.authentik_flow.default-authorization-flow.id
   client_type         = "confidential"
@@ -61,6 +41,17 @@ resource "authentik_provider_oauth2" "oauth2" {
   ]
 }
 
+resource "kubernetes_secret_v1" "oauth2-client-id" {
+  metadata {
+    name      = "${local.app_slug}-id"
+    namespace = var.namespace
+    labels    = local.oauth2_labels
+  }
+  data = {
+    client-id = random_password.client_id.result
+  }
+}
+
 resource "kubernetes_secret_v1" "oauth2-client-secret" {
   metadata {
     name      = "${local.app_slug}-secret"
@@ -68,6 +59,7 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" {
     labels    = local.oauth2_labels
   }
   data = {
+    client-id = random_password.client_id.result
     client-secret = authentik_provider_oauth2.oauth2.client_secret
   }
 }

oauth2/outputs.tf

@@ -18,14 +18,14 @@ output "sso_token_url" {
   value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
 }
 output "client_id" {
-  value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
+  value = random_password.client_id.result
 }
 output "client_secret" {
-  value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"]
+  value = authentik_provider_oauth2.oauth2.client_secret
 }
 
 output "secret_client_id_name" {
-  value = kubectl_manifest.oauth2-secret.name
+  value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
 }
 output "secret_client_secret_name" {
   value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name

saml/outputs.tf

@@ -1,3 +1,27 @@
+output "app_id" {
+  value       = "${local.app_slug}-saml"
+}
 output "provider-id" {
   value       = authentik_provider_saml.prj.id
-}
+}
+output "issuer" {
+  value       = authentik_provider_saml.prj.issuer
+}
+output "url_slo_post" {
+  value       = authentik_provider_saml.prj.url_slo_post
+}
+output "url_slo_redirect" {
+  value       = authentik_provider_saml.prj.url_slo_redirect
+}
+output "url_sso_init" {
+  value       = authentik_provider_saml.prj.url_sso_init
+}
+output "url_sso_post" {
+  value       = authentik_provider_saml.prj.url_sso_post
+}
+output "url_sso_redirect" {
+  value       = authentik_provider_saml.prj.url_sso_redirect
+}
+output "certificate_data" {
+  value       = data.authentik_certificate_key_pair.generated.certificate_data
+}

saml/saml.tf

@@ -1,6 +1,6 @@
 locals{
   app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
-    saml_labels = merge(var.labels, {
+  saml_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "authentik-saml"
   })
 }
@@ -12,7 +12,7 @@ data "authentik_flow" "default-authentication-flow" {
 }
 
 data "authentik_property_mapping_saml" "saml_maps" {
-  managed_list = [
+  managed_list = var.group_mapping==null?[
       "goauthentik.io/providers/saml/email",
       "goauthentik.io/providers/saml/groups",
       "goauthentik.io/providers/saml/name",
@@ -20,9 +20,24 @@ data "authentik_property_mapping_saml" "saml_maps" {
       "goauthentik.io/providers/saml/uid",
       "goauthentik.io/providers/saml/username",
       "goauthentik.io/providers/saml/ms-windowsaccountname",
+  ]:[
+      "goauthentik.io/providers/saml/email",
+      "goauthentik.io/providers/saml/name",
+      "goauthentik.io/providers/saml/upn",
+      "goauthentik.io/providers/saml/uid",
+      "goauthentik.io/providers/saml/username",
+      "goauthentik.io/providers/saml/ms-windowsaccountname",
   ]
 }
 
+resource "authentik_property_mapping_saml" "mapping" {
+  count         = var.group_mapping==null?0:1
+  friendly_name = "groups"
+  name          = "${local.app_slug} Group mapping"
+  saml_name     = "http://schemas.xmlsoap.org/claims/Group"
+  expression    = var.group_mapping
+}
+
 data "authentik_property_mapping_saml" "saml_name" {
   managed = "goauthentik.io/providers/saml/username"
 }
@@ -54,9 +69,11 @@ resource "authentik_provider_saml" "prj" {
   authentication_flow = data.authentik_flow.default-authentication-flow.id
   authorization_flow  = data.authentik_flow.default-authorization-flow.id
   acs_url             = "https://${var.dns_names[0]}/${var.acs_path}"
-  property_mappings   = data.authentik_property_mapping_saml.saml_maps.ids
+  property_mappings   = var.group_mapping==null?data.authentik_property_mapping_saml.saml_maps.ids:concat(data.authentik_property_mapping_saml.saml_maps.ids,[authentik_property_mapping_saml.mapping[0].id])
   name_id_mapping     = data.authentik_property_mapping_saml.saml_name.id
   signing_kp          = data.authentik_certificate_key_pair.generated.id
   sp_binding          = var.binding
+  audience            = var.audience
+  issuer              = var.saml_issuer
 }
 

saml/variables.tf

@@ -17,6 +17,21 @@ variable "binding" {
   type        = string
   default     = "post"
 }
+variable "namespace" {
+  type        = string
+}
 variable "labels" {
   type        = map(string)
 }
+variable "group_mapping" {
+  type        = string
+  default     = null
+}
+variable "audience" {
+  type        = string
+  default     = null
+}
+variable "saml_issuer" {
+  type        = string
+  default     = null
+}