daf8a7bd56
- Add terraform workspace at apps/overlays/uat/terraform/ (backend.tf, main.tf, variables.tf, users.tf, imports.tf, terraform.tfvars) - Add Terraform CRD (authentik-terraform.yaml) with correct path ./apps/overlays/uat/terraform relative to groombook/app repo root - Add GitRepository CRD (gitrepository-groombook.yaml) pointing to groombook/app at fix/gro-844-network-policy branch (NOT groombook/infra which no longer exists) - Add kustomization.yaml to tie it together Root cause: the GitRepository was pointing to https://github.com/groombook/infra which no longer exists, and the terraform files were not committed to the current repository at the correct path. Co-Authored-By: Paperclip <noreply@paperclip.ing>
122 lines
4.4 KiB
Terraform
122 lines
4.4 KiB
Terraform
# =============================================================================
|
|
# Authentik UAT user personas — Terraform resources
|
|
# =============================================================================
|
|
# Creates three Authentik users bound to the groombook-uat application:
|
|
# - UAT Super User (manager role, superuser)
|
|
# - UAT Groomer (staff/groomer role)
|
|
# - UAT Customer (no staff record — auth identity only)
|
|
#
|
|
# Passwords are sourced from sensitive Terraform variables which are injected
|
|
# via tf-controller varsFrom from the authentik-uat-users-credentials SealedSecret.
|
|
#
|
|
# User PKs are exported as outputs — these are the OIDC sub claims in Authentik.
|
|
# =============================================================================
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Group: groombook-uat-users
|
|
# -----------------------------------------------------------------------------
|
|
resource "authentik_group" "groombook-uat-users" {
|
|
name = "groombook-uat-users"
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# User: UAT Super User
|
|
# -----------------------------------------------------------------------------
|
|
resource "authentik_user" "uat-super" {
|
|
name = "UAT Super User"
|
|
username = "uat-super"
|
|
email = "uat-super@groombook.dev"
|
|
password = var.uat_super_password
|
|
active = true
|
|
# Attributes stored as JSON string per authentik_user schema
|
|
attributes_json = jsonencode({
|
|
role = "manager"
|
|
})
|
|
}
|
|
|
|
# Add uat-super to the group
|
|
resource "authentik_group_membership" "uat-super" {
|
|
group = authentik_group.groombook-uat-users.id
|
|
user = authentik_user.uat-super.pk
|
|
}
|
|
|
|
# Bind the group to the groombook-uat application via policy binding
|
|
# This grants group members authentication access to the application
|
|
resource "authentik_policy_binding" "uat-super-group-binding" {
|
|
policy = authentik_group.groombook-uat-users.id
|
|
target = authentik_application.groombook-uat.pk
|
|
binding_type = "group_whitelist"
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# User: UAT Groomer (Staff)
|
|
# -----------------------------------------------------------------------------
|
|
resource "authentik_user" "uat-groomer" {
|
|
name = "UAT Groomer"
|
|
username = "uat-groomer"
|
|
email = "uat-groomer@groombook.dev"
|
|
password = var.uat_groomer_password
|
|
active = true
|
|
attributes_json = jsonencode({
|
|
role = "groomer"
|
|
})
|
|
}
|
|
|
|
# Add uat-groomer to the group
|
|
resource "authentik_group_membership" "uat-groomer" {
|
|
group = authentik_group.groombook-uat-users.id
|
|
user = authentik_user.uat-groomer.pk
|
|
}
|
|
|
|
# Bind the group to the groombook-uat application
|
|
resource "authentik_policy_binding" "uat-groomer-group-binding" {
|
|
policy = authentik_group.groombook-uat-users.id
|
|
target = authentik_application.groombook-uat.pk
|
|
binding_type = "group_whitelist"
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# User: UAT Customer
|
|
# -----------------------------------------------------------------------------
|
|
resource "authentik_user" "uat-customer" {
|
|
name = "UAT Customer"
|
|
username = "uat-customer"
|
|
email = "uat-customer@groombook.dev"
|
|
password = var.uat_customer_password
|
|
active = true
|
|
attributes_json = jsonencode({
|
|
role = "customer"
|
|
})
|
|
}
|
|
|
|
# Add uat-customer to the group
|
|
resource "authentik_group_membership" "uat-customer" {
|
|
group = authentik_group.groombook-uat-users.id
|
|
user = authentik_user.uat-customer.pk
|
|
}
|
|
|
|
# Bind the group to the groombook-uat application
|
|
resource "authentik_policy_binding" "uat-customer-group-binding" {
|
|
policy = authentik_group.groombook-uat-users.id
|
|
target = authentik_application.groombook-uat.pk
|
|
binding_type = "group_whitelist"
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Outputs — OIDC sub claims (= user PK in Authentik)
|
|
# -----------------------------------------------------------------------------
|
|
output "uat_super_user_pk" {
|
|
description = "UAT Super User primary key (OIDC sub)"
|
|
value = authentik_user.uat-super.pk
|
|
}
|
|
|
|
output "uat_groomer_user_pk" {
|
|
description = "UAT Groomer primary key (OIDC sub)"
|
|
value = authentik_user.uat-groomer.pk
|
|
}
|
|
|
|
output "uat_customer_user_pk" {
|
|
description = "UAT Customer primary key (OIDC sub)"
|
|
value = authentik_user.uat-customer.pk
|
|
}
|