Comments (4)
You can reference multiple providers via the protocol_providers
attribute, which will assign all the providers to the outpost
from terraform-provider-authentik.
Sure thing I can put as much providers in the outpost when I create it, but I cannot add more afterward.
Workflow :
- 1 terraform layer containing authentik
- 1 terraform layer per application connected to it.
Currently, as a workaround, i'm using restapi provider in tandem with the http provider to work around this :
locals {
request_headers = {
"Content-Type" = "application/json"
Authorization = "Bearer ${local.authentik-token}"
}
ldap-outpost-prividers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap-outpost-pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
}
data "http" "get_ldap_outpost" {
url = "http://authentik.${var.authentik-ns}.svc/api/v3/outposts/instances/?name__iexact=ldap"
method = "GET"
request_headers = local.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
provider "restapi" {
uri = "http://authentik.${var.authentik-ns}.svc/api/v3/"
headers = local.request_headers
create_method = "PATCH"
update_method = "PATCH"
destroy_method = "PATCH"
write_returns_object = true
id_attribute = "name"
}
resource "restapi_object" "ldap_outpost_binding" {
path = "/outposts/instances/${local.ldap-outpost-pk}/"
data = jsonencode({
name = "ldap"
providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
})
}
note the conditionnal concatenation of the arrays.
I still have to do the same in the authentik layer so an update of the layer wont reset the outpost configuration
from terraform-provider-authentik.
Current implementation for the authentik layer (only using the http provider and the authentik one) :
locals {
request_headers = {
"Content-Type" = "application/json"
Authorization = "Bearer ${local.authentik-token}"
}
ldap-outpost-json = jsondecode(data.http.get_ldap_outpost.response_body).results
ldap-outpost-prividers = length(local.ldap-outpost-json)>0?(contains(local.ldap-outpost-json[0].providers, authentik_provider_ldap.provider_ldap[0].id)?local.ldap-outpost-json[0].providers:concat(local.ldap-outpost-json[0].providers, [authentik_provider_ldap.provider_ldap[0].id])):[authentik_provider_ldap.provider_ldap[0].id]
}
data "http" "get_ldap_outpost" {
depends_on = [kustomization_resource.post, authentik_provider_ldap.provider_ldap]
url = "http://authentik.${var.namespace}.svc/api/v3/outposts/instances/?name__iexact=ldap"
method = "GET"
request_headers = local.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
resource "authentik_service_connection_kubernetes" "local" {
count = var.outposts.ldap ? 1 : 0
name = "local"
local = true
}
resource "authentik_provider_ldap" "provider_ldap" {
count = var.outposts.ldap ? 1 : 0
name = "authentik-ldap-provider"
base_dn = "dc=${var.namespace},dc=namespace"
bind_flow = authentik_flow.ldap-authentication-flow.uuid
}
resource "authentik_outpost" "outpost-ldap" {
count = var.outposts.ldap ? 1 : 0
name = "ldap"
type = "ldap"
service_connection = authentik_service_connection_kubernetes.local[count.index].id
config = jsonencode({
"log_level": "info",
"authentik_host": "http://authentik",
"docker_map_ports": true,
"kubernetes_replicas": 1,
"kubernetes_namespace": var.namespace,
"authentik_host_browser": "",
"object_naming_template": "ak-outpost-%(name)s",
"authentik_host_insecure": false,
"kubernetes_service_type": "ClusterIP",
"kubernetes_image_pull_secrets": [],
"kubernetes_disabled_components": [],
"kubernetes_ingress_annotations": {},
"kubernetes_ingress_secret_name": "authentik-outpost-tls"
})
protocol_providers = local.ldap-outpost-prividers
}
Note that the ressource authentik_provider_ldap.provider_ldap
is a forced dummy one that will never be used.
from terraform-provider-authentik.
So in my opinion, if that workflow was to be supported, the requierement would be :
- some keys in the
authentik_outpost
ressource to say that the provider list should at least contain the given provider without removing the others. - some "add-provider-to-outpost" ressource to add additional providers later on
that's my opinion, nothing more, and, as seen above I have a working implementation so :P
from terraform-provider-authentik.
Related Issues (20)
- Setting password for a user
- Include `sub_text` in `authentik_stage_prompt_field` HOT 2
- Include missing keys in `authentik_stage_authenticator_webauthn`
- Include missing properties in `authentik_stage_authenticator_validate` and `authentik_stage_user_login`
- Interface conversion error in `authentik_stage_authenticator_validate` when using `configuration_stages` HOT 1
- authentik_stage_identification sources not idempotent HOT 1
- modifying authentik_stage_authenticator_validate crashes terraform plugin HOT 1
- Create flow from blueprint HOT 1
- How to customize? HOT 2
- meta_icon in authentik_application keeps changing HOT 1
- Argument `token_length` in resource `authentik_stage_authenticator_static` has no effect HOT 1
- Missing properties in authentik_provider_scim
- Add resource and data source for OAuth Scope Mapping HOT 1
- authentik_policy_binding cannot bind expression policy to a stage HOT 1
- Allow Social login configuration through Terraform HOT 3
- Inconsistent property_mappings behavior in authentik_provider_proxy
- `authentik_service_connection_kubernetes` resource is missing the verify local certificate option
- False negatives when refreshing state of resources HOT 1
- authentik_flow ignores changes to background HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-authentik.