Merge pull request #29 from presentium/main

Lutonite · web-flow · commit 387e6492957a · 2024-08-08T16:41:22.000+02:00
update prod
diff --git a/applications/.tfvars.sample b/applications/.tfvars.sample
@@ -0,0 +1,2 @@
+authentik_url = ""
+authentik_api_key = ""
diff --git a/applications/_vars.tf b/applications/_vars.tf
@@ -0,0 +1,8 @@
+variable "authentik_url" {
+  description = "Authentik management URL"
+}
+
+variable "authentik_api_key" {
+  description = "Authentik management API key"
+  sensitive   = true
+}
diff --git a/applications/main.tf b/applications/main.tf
@@ -20,10 +20,10 @@ terraform {
 
 // Provider configuration
 
-# provider "authentik" {
-#   token = ""
-#   url   = ""
-#}
+provider "authentik" {
+  url   = var.authentik_url
+  token = var.authentik_api_key
+}
 
 # provider "vault" {
 #   address = ""
@@ -40,9 +40,9 @@ module "authentik" {
   }
 }
 
-module "vault" {
-  source = "./modules/vault"
-  providers = {
-    vault = vault
-  }
-}
+# module "vault" {
+#   source = "./modules/vault"
+#   providers = {
+#     vault = vault
+#   }
+# }
diff --git a/applications/modules/authentik/_data.tf b/applications/modules/authentik/_data.tf
@@ -0,0 +1,22 @@
+data "authentik_flow" "default-implicit" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_flow" "default-explicit" {
+  slug = "default-provider-authorization-explicit-consent"
+}
+
+data "authentik_scope_mapping" "scope-email" {
+  scope_name = "email"
+  name       = "authentik default OAuth Mapping: OpenID 'email'"
+}
+
+data "authentik_scope_mapping" "scope-profile" {
+  scope_name = "profile"
+  name       = "authentik default OAuth Mapping: OpenID 'profile'"
+}
+
+data "authentik_scope_mapping" "scope-openid" {
+  scope_name = "roles"
+  name       = "authentik default OAuth Mapping: OpenID 'openid'"
+}
diff --git a/applications/modules/authentik/groups-presentium.tf b/applications/modules/authentik/groups-presentium.tf
@@ -0,0 +1,14 @@
+resource "authentik_group" "students" {
+  name = "Presentium Students"
+}
+
+resource "authentik_group" "teachers" {
+  name   = "Presentium Teachers"
+  parent = authentik_group.students.id
+}
+
+resource "authentik_group" "admins" {
+  name         = "Presentium Admins"
+  parent       = authentik_group.teachers.id
+  is_superuser = true
+}
diff --git a/applications/modules/authentik/mapping-presentium-roles.tf b/applications/modules/authentik/mapping-presentium-roles.tf
@@ -0,0 +1,17 @@
+resource "authentik_scope_mapping" "scope-roles" {
+  name       = "Presentium Roles"
+  scope_name = "roles"
+  expression = <<-EOT
+    roles = []
+    if ak_is_group_member(request.user, name="${authentik_group.students.name}"):
+      roles.append("student")
+    if ak_is_group_member(request.user, name="${authentik_group.teachers.name}"):
+      roles.append("teacher")
+    if ak_is_group_member(request.user, name="${authentik_group.admins.name}"):
+      roles.append("admin")
+
+    return {
+      "roles": roles
+    }
+  EOT
+}
diff --git a/applications/modules/authentik/provider-oauth2-presentium.tf b/applications/modules/authentik/provider-oauth2-presentium.tf
@@ -0,0 +1,27 @@
+resource "authentik_provider_oauth2" "presentium" {
+  name      = "oidc-presentium"
+  client_id = "ca884da2-1542-46a7-be60-5c42a513451a"
+
+  authorization_flow = data.authentik_flow.default-explicit.id
+
+  redirect_uris = [
+    "https://app.presentium.ch/auth/oidc/callback",               # Production domain
+    "https://staging.presentium.ch/auth/oidc/callback",           # Staging domain
+    "https://dashboard-presentium.nuxt.dev/auth/oidc/callback",   # NuxtHub domain
+    "https://[\\w-]+.dashboard-1as.pages.dev/auth/oidc/callback", # PR / preview domains
+  ]
+
+  property_mappings = [
+    data.authentik_scope_mapping.scope-email.id,
+    data.authentik_scope_mapping.scope-profile.id,
+    data.authentik_scope_mapping.scope-openid.id,
+    authentik_scope_mapping.scope-roles.id,
+  ]
+}
+
+resource "authentik_application" "presentium" {
+  name              = "Presentium"
+  slug              = "presentium"
+  protocol_provider = authentik_provider_oauth2.presentium.id
+  meta_icon         = "https://avatars.githubusercontent.com/u/174350723?s=4000&v=4"
+}
diff --git a/dockerfiles/argocd.Dockerfile b/dockerfiles/argocd.Dockerfile
@@ -48,4 +48,4 @@ RUN \
 
 RUN chmod +x /gitops-tools/* && ln -sf /gitops-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /usr/local/sbin/helm
 
-USER argocd
+USER $ARGOCD_USER_ID
diff --git a/infrastructure/modules/aws/eks/iam.tf b/infrastructure/modules/aws/eks/iam.tf
@@ -14,6 +14,21 @@ module "vpc_cni_irsa" {
   }
 }
 
+module "alb_controller_irsa" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_name = "PRES-ALB-CONTROLLER-${upper(module.eks.cluster_name)}"
+
+  attach_load_balancer_controller_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
+    }
+  }
+}
+
 module "sops_kms_irsa" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+authentik_url = ""`
	`2`	`+authentik_api_key = ""`
Original file line number	Diff line number	Diff line change
`@@ -48,4 +48,4 @@ RUN \`
`48`	`48`
`49`	`49`	`RUN chmod +x /gitops-tools/* && ln -sf /gitops-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /usr/local/sbin/helm`
`50`	`50`
`51`		`-USER argocd`
	`51`	`+USER $ARGOCD_USER_ID`