locals {
  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  app_name   = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
  main_group = format("app-%s", local.app_slug)
  url_icon   = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", var.dns_name, var.icon)
}
data "authentik_group" "akadmin" {
  name = "authentik Admins"
}
resource "authentik_group" "groups" {
  name       = local.main_group
  attributes = jsonencode({ "${local.app_name}" = true })
}

resource "authentik_group" "subgroup" {
  count  = length(var.sub_groups)
  name   = format("%s-%s", local.main_group, var.sub_groups[count.index])
  parent = authentik_group.groups.id
}

resource "authentik_application" "app" {
  name                  = var.app_name
  slug                  = local.app_slug
  group                 = var.app_group
  protocol_provider     = var.protocol_provider
  backchannel_providers = var.backchannel_providers
  meta_launch_url       = format("https://%s", var.dns_name)
  meta_icon             = local.url_icon
}

resource "authentik_policy_expression" "policy" {
  name       = "${local.app_slug}-${local.main_group}"
  expression = <<-EOF
    attr = request.user.group_attributes()
    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
  EOF
}

resource "authentik_policy_binding" "access_users" {
  target = authentik_application.app.uuid
  policy = authentik_policy_expression.policy.id
  order  = 0
}
resource "authentik_policy_binding" "access_vynil" {
  target = authentik_application.app.uuid
  group  = data.authentik_group.akadmin.id
  order  = 1
}