From a9639a9340e8f5e64787ee3c2b1e092142cf4134 Mon Sep 17 00:00:00 2001 From: Tine Date: Fri, 20 Sep 2024 21:32:17 +0200 Subject: [PATCH] feat: service account --- terraform/.terraform.lock.hcl | 22 ++++++++++++++++++++++ terraform/node.tf | 8 ++++---- terraform/serviceaccount.tf | 11 ++++++----- terraform/variables.tf | 14 +++++++++++--- 4 files changed, 43 insertions(+), 12 deletions(-) diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 3354b09..affa7ef 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -48,6 +48,28 @@ provider "registry.opentofu.org/digitalocean/digitalocean" { ] } +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2024.8.3" + constraints = "2024.8.3" + hashes = [ + "h1:NiXi1gn1BH2tk1MIqgl6hQotwVe8FN8RJqvE7ix+EWs=", + "zh:1d2d165662d36dae0aacb478a6bae055546979dea58ee3762dd7d398b7f60e8c", + "zh:3a118d3c123eab3e26c33821607d2f70f9e317d3d33289f9d615e4b6d353b877", + "zh:3fa67bd9c64c1277a107205becdbd2d35649aeb97b591bc8a5bdd8444164f754", + "zh:40bbc8a31e7568ad68100620aa229fbb1837846b79ad8a468bf486b519d19c8c", + "zh:4ffb5344ae5ec44edf0f5c92f600455a731683b13b7a322760153eb53ff544af", + "zh:5b52f1268ca28b7c6869e69363ffff139d965fab0ae7d2e1158688cb076a7298", + "zh:7c598a517e358eb4a83d0805845e6e8b1aa9320143d225fc14d6987e8dd12506", + "zh:843627dd43a5df89f907ccd499b7264e00df0e1269dccec0738f1d5efb5db969", + "zh:8604f50738667066406c31775a32497eca69f52a085bcd14862736b1d0183de1", + "zh:9de948d1df56fe6a6eb4279c704554ea70f8791b6dbd301a3432ab7859718360", + "zh:9f95520468bf49ae11e9d2493cafdb99910faeac34bb25586105e5326461949b", + "zh:d25048f3cbe96981dc72894c7ceae839846c240e2c270909aaf93cdf8af75a14", + "zh:e2e72159b9a1d91c7bd4eb62e09eaf7440478a493d853cb3aa3076b9acd8793b", + "zh:f6af0fd2e89ea7b7e692ef893cf5fdcc6f53c37fc0c6e066a28d9c834226c539", + ] +} + provider "registry.opentofu.org/hashicorp/dns" { version = "3.4.1" constraints = "~> 3.4.1" diff --git a/terraform/node.tf b/terraform/node.tf index 0a8ff43..db97a3f 100644 --- a/terraform/node.tf +++ b/terraform/node.tf @@ -8,11 +8,11 @@ locals { mac_address = "AA:BB:07:00:${format("%v:%v", substr(sha1(v.name), 0, 2), substr(sha1(v.name), 2, 2))}" domain = local.domain meta = { - name = each.value.name - domain = each.value.domain + name = v.name + domain = local.domain service_account = { - username = authentik_user.service_account[each.value.name].username - password = authentik_token.service_account[each.value.name].token + username = authentik_user.service_account[k].username + password = authentik_token.service_account[k].key } } }) diff --git a/terraform/serviceaccount.tf b/terraform/serviceaccount.tf index 80b48f1..3a4c79d 100644 --- a/terraform/serviceaccount.tf +++ b/terraform/serviceaccount.tf @@ -21,9 +21,10 @@ resource "authentik_user" "service_account" { resource "authentik_token" "service_account" { for_each = var.nodes - identifier = "svc.tjo.cloud-service-account-${each.value.name}" - user = authentik_user.service_account[each.value.name].id - description = "Service account for ${each.value.name} node" - expiring = false - intent = "app_password" + identifier = "svc-tjo-cloud-service-account-${each.value.name}" + user = authentik_user.service_account[each.key].id + description = "Service account for ${each.value.name} node" + expiring = false + intent = "app_password" + retrieve_key = true } diff --git a/terraform/variables.tf b/terraform/variables.tf index 120083d..ae27ff5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,13 +33,21 @@ variable "common_storage" { } variable "digitalocean_token" { - type = string + type = string + sensitive = true } variable "proxmox_token" { - type = string + type = string + sensitive = true } variable "tailscale_apikey" { - type = string + type = string + sensitive = true +} + +variable "authentik_token" { + type = string + sensitive = true }