-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
112 lines (86 loc) · 3.8 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
resource authentik_outpost "ldap_outpost" {
count = length(var.applications) == 0 ? 0 : 1
name = "LDAP Outpost"
type = "ldap"
protocol_providers = authentik_provider_ldap.ldap_provider[*].id
service_connection = var.service_connection_id
config = var.outpost_configuration
}
resource authentik_group "ldap_clients" {
count = length(var.applications) == 0 ? 0 : 1
name = var.ldap_service_accounts_group_name
}
resource authentik_application "ldap_application" {
count = length(var.applications)
name = var.applications[count.index].name
slug = var.applications[count.index].slug
group = lookup(var.applications[count.index].app_config, "group", "")
meta_description = lookup(var.applications[count.index].app_config, "description", "")
meta_launch_url = lookup(var.applications[count.index].app_config, "launch_url", "")
meta_publisher = lookup(var.applications[count.index].app_config, "publisher", "")
protocol_provider = authentik_provider_ldap.ldap_provider[count.index].id
}
resource authentik_group "ldap_application_users" {
count = length(var.applications)
name = "app-users-${var.applications[count.index].slug}"
users = var.applications[count.index].user_ids
}
resource authentik_provider_ldap "ldap_provider" {
count = length(var.applications)
name = "${title(var.applications[count.index].slug)}LDAP"
base_dn = lookup(var.applications[count.index].ldap_config, "base_dn", var.default_base_dn)
bind_flow = lookup(var.applications[count.index].ldap_config, "bind_flow_uuid", authentik_flow.ldap_login[0].uuid)
search_group = authentik_group.ldap_clients[0].id
bind_mode = lookup(var.applications[count.index].ldap_config, "bind_mode", var.default_bind_mode)
search_mode = lookup(var.applications[count.index].ldap_config, "search_mode", var.default_search_mode)
}
resource authentik_user "ldap_user" {
count = length(var.applications)
username = "ldap-${var.applications[count.index].slug}"
name = "Service User used by ${var.applications[count.index].name} to authenticate against LDAP server"
path = "users/ldap"
groups = [ authentik_group.ldap_clients[0].id ]
}
resource authentik_token "ldap_app_password" {
count = length(var.applications)
identifier = "ldap-app-password-${var.applications[count.index].slug}"
user = authentik_user.ldap_user[count.index].id
intent = "app_password"
description = "Password used by ${var.applications[count.index].name} to authenticate using LDAP"
expiring = false
retrieve_key = false
}
resource authentik_flow "ldap_login" {
count = length(var.applications) == 0 ? 0 : 1
designation = "authentication"
name = "ldap-password-auth"
slug = "ldap-password-auth"
title = "LDAP Password Login"
}
resource authentik_flow_stage_binding "ldap_login_identification" {
count = length(var.applications) == 0 ? 0 : 1
order = 10
stage = data.authentik_stage.default_authentication_identification.id
target = authentik_flow.ldap_login[0].uuid
}
resource authentik_flow_stage_binding "ldap_login_password" {
count = length(var.applications) == 0 ? 0 : 1
order = 20
stage = data.authentik_stage.default_authentication_password.id
target = authentik_flow.ldap_login[0].uuid
}
resource authentik_flow_stage_binding "ldap_login_login" {
count = length(var.applications) == 0 ? 0 : 1
order = 100
stage = data.authentik_stage.default_authentication_login.id
target = authentik_flow.ldap_login[0].uuid
}
data authentik_stage "default_authentication_identification" {
name = "default-authentication-identification"
}
data authentik_stage "default_authentication_password" {
name = "default-authentication-password"
}
data authentik_stage "default_authentication_login" {
name = "default-authentication-login"
}