data "authentik_flow" "default-authorization-flow" {
  slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
  slug = "default-authentication-flow"
}

data "authentik_property_mapping_saml" "saml_maps" {
  managed_list = [
      "goauthentik.io/providers/saml/email",
      "goauthentik.io/providers/saml/groups",
      "goauthentik.io/providers/saml/name",
      "goauthentik.io/providers/saml/upn",
      "goauthentik.io/providers/saml/uid",
      "goauthentik.io/providers/saml/username",
      "goauthentik.io/providers/saml/ms-windowsaccountname",
  ]
}

data "authentik_property_mapping_saml" "saml_name" {
  managed = "goauthentik.io/providers/saml/username"
}

data "authentik_certificate_key_pair" "generated" {
  name = "authentik Self-signed Certificate"
}

resource "kubectl_manifest" "saml_certificate" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Certificate"
    metadata:
      name: "${var.instance}-${var.component}-saml"
      namespace: "${var.namespace}"
      labels: ${jsonencode(var.labels)}
    spec:
        secretName: "${var.instance}-${var.component}-saml"
        dnsNames: ${jsonencode(var.dns_names)}
        issuerRef:
          name: "self-sign"
          kind: "ClusterIssuer"
          group: "cert-manager.io"
  EOF
}

resource "authentik_provider_saml" "prj" {
  name                = "${var.component}-${var.instance}-saml"
  authentication_flow = data.authentik_flow.default-authentication-flow.id
  authorization_flow  = data.authentik_flow.default-authorization-flow.id
  acs_url             = "https://${var.dns_names[0]}/${var.acs_path}"
  property_mappings   = data.authentik_property_mapping_saml.saml_maps.ids
  name_id_mapping     = data.authentik_property_mapping_saml.saml_name.id
  signing_kp          = data.authentik_certificate_key_pair.generated.id
  sp_binding          = var.binding
}