85 lines
2.8 KiB
Terraform
85 lines
2.8 KiB
Terraform
|
data "authentik_flow" "default-provider-authorization-implicit-consent" {
|
||
|
|
slug = "default-provider-authorization-implicit-consent"
|
||
|
|
}
|
||
|
|
|
||
|
|
data "authentik_scope_mapping" "scope-email" {
|
||
|
|
name = "authentik default OAuth Mapping: OpenID 'email'"
|
||
|
|
}
|
||
|
|
|
||
|
|
data "authentik_scope_mapping" "scope-profile" {
|
||
|
|
name = "authentik default OAuth Mapping: OpenID 'profile'"
|
||
|
|
}
|
||
|
|
|
||
|
|
data "authentik_scope_mapping" "scope-openid" {
|
||
|
|
name = "authentik default OAuth Mapping: OpenID 'openid'"
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "random_id" "client_id" {
|
||
|
|
byte_length = 16
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "authentik_provider_oauth2" "grafana" {
|
||
|
|
name = "Grafana"
|
||
|
|
# Required. You can use the output of:
|
||
|
|
# $ openssl rand -hex 16
|
||
|
|
client_id = random_id.client_id.id
|
||
|
|
|
||
|
|
# Optional: will be generated if not provided
|
||
|
|
# client_secret = "my_client_secret"
|
||
|
|
|
||
|
|
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
||
|
|
|
||
|
|
redirect_uris = [
|
||
|
|
"https://grafana.lab.cowley.tech/login/generic_oauth"
|
||
|
|
]
|
||
|
|
|
||
|
|
property_mappings = [
|
||
|
|
data.authentik_scope_mapping.scope-email.id,
|
||
|
|
data.authentik_scope_mapping.scope-profile.id,
|
||
|
|
data.authentik_scope_mapping.scope-openid.id,
|
||
|
|
]
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "authentik_application" "grafana" {
|
||
|
|
name = "Grafana"
|
||
|
|
slug = "grafana"
|
||
|
|
protocol_provider = authentik_provider_oauth2.grafana.id
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "authentik_group" "grafana_admins" {
|
||
|
|
name = "Grafana Admins"
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "authentik_group" "grafana_editors" {
|
||
|
|
name = "Grafana Editors"
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "authentik_group" "grafana_viewers" {
|
||
|
|
name = "Grafana Viewers"
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "kubernetes_secret" "grafana-authentik" {
|
||
|
|
metadata {
|
||
|
|
name = "grafana-authentik"
|
||
|
|
namespace = "monitoring"
|
||
|
|
}
|
||
|
|
data = {
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
|
||
|
|
"GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
|
||
|
|
"GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
|
||
|
|
# Optionally enable auto-login (bypasses Grafana login screen)
|
||
|
|
"GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
|
||
|
|
# Optionally map user groups to Grafana roles
|
||
|
|
"GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
|
||
|
|
|
||
|
|
}
|
||
|
|
}
|