data "authentik_group" "monitoring_publisher" {
  name          = "monitor.tjo.cloud publisher"
  include_users = false
}

resource "authentik_user" "service_account" {
  for_each = var.nodes

  username = "${each.value.name}.ingress@svc.tjo.cloud"
  name     = "${each.value.name}.ingress@svc.tjo.cloud"
  email    = "${each.value.name}.ingress@svc.tjo.cloud"

  type = "service_account"
  path = "svc.tjo.cloud"

  groups = [
    data.authentik_group.monitoring_publisher.id,
  ]
}

resource "authentik_token" "service_account" {
  for_each = var.nodes

  identifier   = "svc-tjo-cloud-service-account-${each.value.name}"
  user         = authentik_user.service_account[each.key].id
  description  = "Service account for ${each.value.name} node"
  expiring     = false
  intent       = "app_password"
  retrieve_key = true
}