homelab/terraform
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
terraform/authentik/grafana.tf

77 lines
2.6 KiB
Terraform
Raw Normal View History

initial commit
2024-06-27 10:09:49 +02:00
resource "random_id" "client_id" {
byte_length = 16
}
resource "authentik_provider_oauth2" "grafana" {
many things
2024-08-04 16:16:53 +02:00
name = "Grafana"
initial commit
2024-06-27 10:09:49 +02:00
# Required. You can use the output of:
# $ openssl rand -hex 16
many things
2024-08-04 16:16:53 +02:00
client_id = random_id.client_id.id
initial commit
2024-06-27 10:09:49 +02:00
# Optional: will be generated if not provided
# client_secret = "my_client_secret"
many things
2024-08-04 16:16:53 +02:00
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
initial commit
2024-06-27 10:09:49 +02:00
redirect_uris = [
"https://grafana.lab.cowley.tech/login/generic_oauth"
]
property_mappings = [
many things
2024-09-13 10:12:28 +02:00
data.authentik_property_mapping_provider_scope.scope-email.id,
data.authentik_property_mapping_provider_scope.scope-profile.id,
data.authentik_property_mapping_provider_scope.scope-openid.id,
initial commit
2024-06-27 10:09:49 +02:00
]
many things
2024-08-04 16:16:53 +02:00
lifecycle {
ignore_changes = [
signing_key,
authentication_flow,
]
}
initial commit
2024-06-27 10:09:49 +02:00
}
resource "authentik_application" "grafana" {
name = "Grafana"
slug = "grafana"
protocol_provider = authentik_provider_oauth2.grafana.id
}
resource "authentik_group" "grafana_admins" {
many things
2024-08-04 16:16:53 +02:00
name = "Grafana Admins"
initial commit
2024-06-27 10:09:49 +02:00
}
resource "authentik_group" "grafana_editors" {
many things
2024-08-04 16:16:53 +02:00
name = "Grafana Editors"
initial commit
2024-06-27 10:09:49 +02:00
}
resource "authentik_group" "grafana_viewers" {
many things
2024-08-04 16:16:53 +02:00
name = "Grafana Viewers"
initial commit
2024-06-27 10:09:49 +02:00
}
resource "kubernetes_secret" "grafana-authentik" {
metadata {
many things
2024-08-04 16:16:53 +02:00
name = "grafana-authentik"
initial commit
2024-06-27 10:09:49 +02:00
namespace = "monitoring"
}
data = {
many things
2024-08-04 16:16:53 +02:00
"GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
"GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
"GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
"GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
"GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
"GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
"GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
"GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
"GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
"GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
initial commit
2024-06-27 10:09:49 +02:00
"GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
# Optionally enable auto-login (bypasses Grafana login screen)
"GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
# Optionally map user groups to Grafana roles
"GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
}
}
Reference in a new issue Copy permalink