Add oidc client module
This commit is contained in:
parent
cf43d32d06
commit
52b0ec3bb6
40
core/oidc_client/.terraform.lock.hcl
Normal file
40
core/oidc_client/.terraform.lock.hcl
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
# This file is maintained automatically by "terraform init".
|
||||||
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
|
provider "registry.terraform.io/hashicorp/nomad" {
|
||||||
|
version = "2.3.1"
|
||||||
|
hashes = [
|
||||||
|
"h1:lMueBNB2GJ/a5rweL9NPybwVfDH/Q1s+rQvt5Y+kuYs=",
|
||||||
|
"zh:1e7893a3fbebff171bcc5581b70a16eea33193c7e9dd73402ba5c04b7202f0bb",
|
||||||
|
"zh:252cfd3fee4811c83bc74406ba1bc1bbb83d6de20e50a86f93737f8f86864171",
|
||||||
|
"zh:387a7140be6dfa3f8d27f09d1eb2b9f3b84900328fe5a0478e9b3bd91a845808",
|
||||||
|
"zh:49848fa491ac26b0568b112a57d14cc49772607c7cf405e2f74dd537407214b1",
|
||||||
|
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||||
|
"zh:7b9f345f5bb5f17c5d0bc3d373c25828934a3cbcdb331e0eab54eb47f1355fb2",
|
||||||
|
"zh:8e276f4de508a86e725fffc02ee891db73397c35dbd591d8918af427eeec93a1",
|
||||||
|
"zh:90b349933d2fd28f822a36128be4625bb816aa9f20ec314c79c77306f632ae87",
|
||||||
|
"zh:a0ca6fd6cd94a52684e432104d3dc170a74075f47d9d4ba725cc340a438ed75a",
|
||||||
|
"zh:a6cffc45535a0ff8206782538b3eeaef17dc93d0e1fd58bc1e6f7d5aa0f6ba1a",
|
||||||
|
"zh:c010807b5d3e03d769419787b0e5d4efa6963134e1873a413102af6bf3dd1c49",
|
||||||
|
"zh:faf962ee1981e897e99f7e528642c7e74beed37afd8eaf743e6ede24df812d80",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "registry.terraform.io/hashicorp/random" {
|
||||||
|
version = "3.6.2"
|
||||||
|
hashes = [
|
||||||
|
"h1:wmG0QFjQ2OfyPy6BB7mQ57WtoZZGGV07uAPQeDmIrAE=",
|
||||||
|
"zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
|
||||||
|
"zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
|
||||||
|
"zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
|
||||||
|
"zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
|
||||||
|
"zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
|
||||||
|
"zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
|
||||||
|
"zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
|
||||||
|
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||||
|
"zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
|
||||||
|
"zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
|
||||||
|
"zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
|
||||||
|
"zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
|
||||||
|
]
|
||||||
|
}
|
||||||
50
core/oidc_client/main.tf
Normal file
50
core/oidc_client/main.tf
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
resource "random_password" "oidc_client_id" {
|
||||||
|
length = 72
|
||||||
|
override_special = "-._~"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "random_password" "oidc_secret" {
|
||||||
|
length = 72
|
||||||
|
override_special = "-._~"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "nomad_variable" "authelia_oidc_secret" {
|
||||||
|
path = "secrets/authelia/${var.name}"
|
||||||
|
items = {
|
||||||
|
client_id = resource.random_password.oidc_client_id.result
|
||||||
|
secret = resource.random_password.oidc_secret.result
|
||||||
|
secret_hash = resource.random_password.oidc_secret.bcrypt_hash
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "nomad_variable" "authelia_access_control_oidc" {
|
||||||
|
path = "authelia/access_control/oidc_clients/${var.name}"
|
||||||
|
items = {
|
||||||
|
id = resource.random_password.oidc_client_id.result
|
||||||
|
description = var.oidc_client_config.description
|
||||||
|
authorization_policy = var.oidc_client_config.authorization_policy
|
||||||
|
redirect_uris = yamlencode(var.oidc_client_config.redirect_uris)
|
||||||
|
scopes = yamlencode(var.oidc_client_config.scopes)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "nomad_acl_policy" "oidc_authelia" {
|
||||||
|
count = var.job_acl != null ? 1 : 0
|
||||||
|
name = "${var.name}-authelia"
|
||||||
|
description = "Give access to shared authelia variables"
|
||||||
|
rules_hcl = <<EOH
|
||||||
|
namespace "default" {
|
||||||
|
variables {
|
||||||
|
path "secrets/authelia/${var.name}" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
|
||||||
|
job_acl {
|
||||||
|
job_id = var.job_acl.job_id
|
||||||
|
group = var.job_acl.group
|
||||||
|
task = var.job_acl.task
|
||||||
|
}
|
||||||
|
}
|
||||||
11
core/oidc_client/output.tf
Normal file
11
core/oidc_client/output.tf
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
output "client_id" {
|
||||||
|
value = resource.random_password.oidc_client_id.result
|
||||||
|
}
|
||||||
|
|
||||||
|
output "secret" {
|
||||||
|
value = resource.random_password.oidc_secret.result
|
||||||
|
}
|
||||||
|
|
||||||
|
output "secret_hash" {
|
||||||
|
value = resource.random_password.oidc_secret.bcrypt_hash
|
||||||
|
}
|
||||||
25
core/oidc_client/vars.tf
Normal file
25
core/oidc_client/vars.tf
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
variable "name" {
|
||||||
|
description = "Name of service"
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "oidc_client_config" {
|
||||||
|
description = "Authelia oidc client configuration to enable oidc authentication"
|
||||||
|
type = object({
|
||||||
|
description = string
|
||||||
|
authorization_policy = optional(string, "one_factor")
|
||||||
|
redirect_uris = list(string)
|
||||||
|
scopes = list(string)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "job_acl" {
|
||||||
|
description = "Job ACL that should be given to the secrets"
|
||||||
|
type = object({
|
||||||
|
job_id = string
|
||||||
|
group = optional(string)
|
||||||
|
task = optional(string)
|
||||||
|
})
|
||||||
|
|
||||||
|
default = null
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user