initial commit

2024-06-27 10:09:49 +02:00 · 2024-06-27 10:09:49 +02:00 · a236d3a0a6
commit a236d3a0a6
8 changed files with 216 additions and 0 deletions
--- a/authentik/grafana.tf
+++ b/authentik/grafana.tf
@ -0,0 +1,84 @@
+data "authentik_flow" "default-provider-authorization-implicit-consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_scope_mapping" "scope-email" {
+  name = "authentik default OAuth Mapping: OpenID 'email'"
+}
+
+data "authentik_scope_mapping" "scope-profile" {
+  name = "authentik default OAuth Mapping: OpenID 'profile'"
+}
+
+data "authentik_scope_mapping" "scope-openid" {
+  name = "authentik default OAuth Mapping: OpenID 'openid'"
+}
+
+resource "random_id" "client_id" {
+  byte_length = 16
+}
+
+resource "authentik_provider_oauth2" "grafana" {
+  name          = "Grafana"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id     = random_id.client_id.id
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://grafana.lab.cowley.tech/login/generic_oauth"
+  ]
+
+  property_mappings = [
+    data.authentik_scope_mapping.scope-email.id,
+    data.authentik_scope_mapping.scope-profile.id,
+    data.authentik_scope_mapping.scope-openid.id,
+  ]
+}
+
+resource "authentik_application" "grafana" {
+  name              = "Grafana"
+  slug              = "grafana"
+  protocol_provider = authentik_provider_oauth2.grafana.id
+}
+
+resource "authentik_group" "grafana_admins" {
+  name    = "Grafana Admins"
+}
+
+resource "authentik_group" "grafana_editors" {
+  name    = "Grafana Editors"
+}
+
+resource "authentik_group" "grafana_viewers" {
+  name    = "Grafana Viewers"
+}
+
+resource "kubernetes_secret" "grafana-authentik" {
+  metadata {
+    name = "grafana-authentik"
+    namespace = "monitoring"
+  }
+  data = {
+    "GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
+    "GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
+    "GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
+    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
+    "GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
+    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
+    "GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
+    "GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
+    "GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
+    # Optionally enable auto-login (bypasses Grafana login screen)
+    "GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
+    # Optionally map user groups to Grafana roles
+    "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
+
+  }
+}