many things

authentik/grafana.tf

@@ -19,15 +19,15 @@ resource "random_id" "client_id" {
 }
 
 resource "authentik_provider_oauth2" "grafana" {
-  name          = "Grafana"
+  name = "Grafana"
   #  Required. You can use the output of:
   #     $ openssl rand -hex 16
-  client_id     = random_id.client_id.id
+  client_id = random_id.client_id.id
 
   # Optional: will be generated if not provided
   # client_secret = "my_client_secret"
 
-  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
   redirect_uris = [
     "https://grafana.lab.cowley.tech/login/generic_oauth"
@@ -38,6 +38,13 @@ resource "authentik_provider_oauth2" "grafana" {
     data.authentik_scope_mapping.scope-profile.id,
     data.authentik_scope_mapping.scope-openid.id,
   ]
+
+  lifecycle {
+    ignore_changes = [
+      signing_key,
+      authentication_flow,
+    ]
+  }
 }
 
 resource "authentik_application" "grafana" {
@@ -47,33 +54,33 @@ resource "authentik_application" "grafana" {
 }
 
 resource "authentik_group" "grafana_admins" {
-  name    = "Grafana Admins"
+  name = "Grafana Admins"
 }
 
 resource "authentik_group" "grafana_editors" {
-  name    = "Grafana Editors"
+  name = "Grafana Editors"
 }
 
 resource "authentik_group" "grafana_viewers" {
-  name    = "Grafana Viewers"
+  name = "Grafana Viewers"
 }
 
 resource "kubernetes_secret" "grafana-authentik" {
   metadata {
-    name = "grafana-authentik"
+    name      = "grafana-authentik"
     namespace = "monitoring"
   }
   data = {
-    "GF_AUTH_GENERIC_OAUTH_ENABLED" = "true"
-    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID" = authentik_provider_oauth2.grafana.client_id
-    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET" = authentik_provider_oauth2.grafana.client_secret
-    "GF_AUTH_GENERIC_OAUTH_NAME" = "authentik"
-    "GF_AUTH_GENERIC_OAUTH_SCOPES" = "openid profile email"
-    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP" = "true"
-    "GF_AUTH_GENERIC_OAUTH_AUTH_URL" = "https://auth.lab.cowley.tech/application/o/authorize/"
-    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL" = "https://auth.lab.cowley.tech/application/o/token/"
-    "GF_AUTH_GENERIC_OAUTH_API_URL" = "https://auth.lab.cowley.tech/application/o/userinfo/"
-    "GF_AUTH_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
+    "GF_AUTH_GENERIC_OAUTH_ENABLED"        = "true"
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID"      = authentik_provider_oauth2.grafana.client_id
+    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"  = authentik_provider_oauth2.grafana.client_secret
+    "GF_AUTH_GENERIC_OAUTH_NAME"           = "authentik"
+    "GF_AUTH_GENERIC_OAUTH_SCOPES"         = "openid profile email"
+    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP"  = "true"
+    "GF_AUTH_GENERIC_OAUTH_AUTH_URL"       = "https://auth.lab.cowley.tech/application/o/authorize/"
+    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL"      = "https://auth.lab.cowley.tech/application/o/token/"
+    "GF_AUTH_GENERIC_OAUTH_API_URL"        = "https://auth.lab.cowley.tech/application/o/userinfo/"
+    "GF_AUTH_SIGNOUT_REDIRECT_URL"         = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
     "GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
     # Optionally enable auto-login (bypasses Grafana login screen)
     "GF_AUTH_OAUTH_AUTO_LOGIN" = "false"