data "authentik_flow" "default-provider-authorization-implicit-consent" {
  slug = "default-provider-authorization-implicit-consent"
}

data "authentik_scope_mapping" "scope-email" {
  name = "authentik default OAuth Mapping: OpenID 'email'"
}

data "authentik_scope_mapping" "scope-profile" {
  name = "authentik default OAuth Mapping: OpenID 'profile'"
}

data "authentik_scope_mapping" "scope-openid" {
  name = "authentik default OAuth Mapping: OpenID 'openid'"
}

resource "random_id" "client_id" {
  byte_length = 16
}

resource "authentik_provider_oauth2" "grafana" {
  name = "Grafana"
  #  Required. You can use the output of:
  #     $ openssl rand -hex 16
  client_id = random_id.client_id.id

  # Optional: will be generated if not provided
  # client_secret = "my_client_secret"

  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id

  redirect_uris = [
    "https://grafana.lab.cowley.tech/login/generic_oauth"
  ]

  property_mappings = [
    data.authentik_scope_mapping.scope-email.id,
    data.authentik_scope_mapping.scope-profile.id,
    data.authentik_scope_mapping.scope-openid.id,
  ]

  lifecycle {
    ignore_changes = [
      signing_key,
      authentication_flow,
    ]
  }
}

resource "authentik_application" "grafana" {
  name              = "Grafana"
  slug              = "grafana"
  protocol_provider = authentik_provider_oauth2.grafana.id
}

resource "authentik_group" "grafana_admins" {
  name = "Grafana Admins"
}

resource "authentik_group" "grafana_editors" {
  name = "Grafana Editors"
}

resource "authentik_group" "grafana_viewers" {
  name = "Grafana Viewers"
}

resource "kubernetes_secret" "grafana-authentik" {
  metadata {
    name      = "grafana-authentik"
    namespace = "monitoring"
  }
  data = {
    "GF_AUTH_GENERIC_OAUTH_ENABLED"        = "true"
    "GF_AUTH_GENERIC_OAUTH_CLIENT_ID"      = authentik_provider_oauth2.grafana.client_id
    "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"  = authentik_provider_oauth2.grafana.client_secret
    "GF_AUTH_GENERIC_OAUTH_NAME"           = "authentik"
    "GF_AUTH_GENERIC_OAUTH_SCOPES"         = "openid profile email"
    "GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP"  = "true"
    "GF_AUTH_GENERIC_OAUTH_AUTH_URL"       = "https://auth.lab.cowley.tech/application/o/authorize/"
    "GF_AUTH_GENERIC_OAUTH_TOKEN_URL"      = "https://auth.lab.cowley.tech/application/o/token/"
    "GF_AUTH_GENERIC_OAUTH_API_URL"        = "https://auth.lab.cowley.tech/application/o/userinfo/"
    "GF_AUTH_SIGNOUT_REDIRECT_URL"         = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
    "GF_AUTH_GENERIC_SIGNOUT_REDIRECT_URL" = "https://auth.lab.cowley.tech/application/o/grafana/end-session/"
    # Optionally enable auto-login (bypasses Grafana login screen)
    "GF_AUTH_OAUTH_AUTO_LOGIN" = "false"
    # Optionally map user groups to Grafana roles
    "GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH" = "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"

  }
}