This repository has been archived on 2026-05-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
app/apps/overlays/uat/terraform/users.tf
T
Test User daf8a7bd56 fix(GRO-693): add UAT Terraform infrastructure with correct GitRepository
- Add terraform workspace at apps/overlays/uat/terraform/ (backend.tf,
  main.tf, variables.tf, users.tf, imports.tf, terraform.tfvars)
- Add Terraform CRD (authentik-terraform.yaml) with correct path
  ./apps/overlays/uat/terraform relative to groombook/app repo root
- Add GitRepository CRD (gitrepository-groombook.yaml) pointing to
  groombook/app at fix/gro-844-network-policy branch (NOT groombook/infra
  which no longer exists)
- Add kustomization.yaml to tie it together

Root cause: the GitRepository was pointing to https://github.com/groombook/infra
which no longer exists, and the terraform files were not committed to the
current repository at the correct path.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-21 19:55:35 +00:00

122 lines
4.4 KiB
Terraform

# =============================================================================
# Authentik UAT user personas — Terraform resources
# =============================================================================
# Creates three Authentik users bound to the groombook-uat application:
# - UAT Super User (manager role, superuser)
# - UAT Groomer (staff/groomer role)
# - UAT Customer (no staff record — auth identity only)
#
# Passwords are sourced from sensitive Terraform variables which are injected
# via tf-controller varsFrom from the authentik-uat-users-credentials SealedSecret.
#
# User PKs are exported as outputs — these are the OIDC sub claims in Authentik.
# =============================================================================
# -----------------------------------------------------------------------------
# Group: groombook-uat-users
# -----------------------------------------------------------------------------
resource "authentik_group" "groombook-uat-users" {
name = "groombook-uat-users"
}
# -----------------------------------------------------------------------------
# User: UAT Super User
# -----------------------------------------------------------------------------
resource "authentik_user" "uat-super" {
name = "UAT Super User"
username = "uat-super"
email = "uat-super@groombook.dev"
password = var.uat_super_password
active = true
# Attributes stored as JSON string per authentik_user schema
attributes_json = jsonencode({
role = "manager"
})
}
# Add uat-super to the group
resource "authentik_group_membership" "uat-super" {
group = authentik_group.groombook-uat-users.id
user = authentik_user.uat-super.pk
}
# Bind the group to the groombook-uat application via policy binding
# This grants group members authentication access to the application
resource "authentik_policy_binding" "uat-super-group-binding" {
policy = authentik_group.groombook-uat-users.id
target = authentik_application.groombook-uat.pk
binding_type = "group_whitelist"
}
# -----------------------------------------------------------------------------
# User: UAT Groomer (Staff)
# -----------------------------------------------------------------------------
resource "authentik_user" "uat-groomer" {
name = "UAT Groomer"
username = "uat-groomer"
email = "uat-groomer@groombook.dev"
password = var.uat_groomer_password
active = true
attributes_json = jsonencode({
role = "groomer"
})
}
# Add uat-groomer to the group
resource "authentik_group_membership" "uat-groomer" {
group = authentik_group.groombook-uat-users.id
user = authentik_user.uat-groomer.pk
}
# Bind the group to the groombook-uat application
resource "authentik_policy_binding" "uat-groomer-group-binding" {
policy = authentik_group.groombook-uat-users.id
target = authentik_application.groombook-uat.pk
binding_type = "group_whitelist"
}
# -----------------------------------------------------------------------------
# User: UAT Customer
# -----------------------------------------------------------------------------
resource "authentik_user" "uat-customer" {
name = "UAT Customer"
username = "uat-customer"
email = "uat-customer@groombook.dev"
password = var.uat_customer_password
active = true
attributes_json = jsonencode({
role = "customer"
})
}
# Add uat-customer to the group
resource "authentik_group_membership" "uat-customer" {
group = authentik_group.groombook-uat-users.id
user = authentik_user.uat-customer.pk
}
# Bind the group to the groombook-uat application
resource "authentik_policy_binding" "uat-customer-group-binding" {
policy = authentik_group.groombook-uat-users.id
target = authentik_application.groombook-uat.pk
binding_type = "group_whitelist"
}
# -----------------------------------------------------------------------------
# Outputs — OIDC sub claims (= user PK in Authentik)
# -----------------------------------------------------------------------------
output "uat_super_user_pk" {
description = "UAT Super User primary key (OIDC sub)"
value = authentik_user.uat-super.pk
}
output "uat_groomer_user_pk" {
description = "UAT Groomer primary key (OIDC sub)"
value = authentik_user.uat-groomer.pk
}
output "uat_customer_user_pk" {
description = "UAT Customer primary key (OIDC sub)"
value = authentik_user.uat-customer.pk
}