add app entitlement

docs/resources/application_entitlement.md

@@ -0,0 +1,51 @@
+---
+page_title: "authentik_application_entitlement Resource - terraform-provider-authentik"
+subcategory: "Applications"
+description: |-
+  
+---
+
+# authentik_application_entitlement (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# Create an application entitlement bound to a group
+resource "authentik_application" "name" {
+  name = "example-app"
+  slug = "example-app"
+}
+
+resource "authentik_application_entitlement" "ent" {
+  name        = "test-ent"
+  application = authentik_application.name.id
+}
+
+resource "authentik_group" "group" {
+  name = "test-ent-group"
+}
+
+resource "authentik_policy_binding" "test-ent-access" {
+  target = authentik_application.name.uuid
+  group  = authentik_group.group.id
+  order  = 0
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `application` (String)
+- `name` (String)
+
+### Optional
+
+- `attributes` (String) JSON format expected. Use jsonencode() to pass objects. Defaults to `{}`.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.

docs/resources/group.md

@@ -18,6 +18,7 @@ resource "authentik_user" "name" {
   username = "user"
   name     = "User"
 }
+
 resource "authentik_group" "group" {
   name         = "tf_admins"
   users        = [authentik_user.name.id]

examples/resources/authentik_application_entitlement/resource.tf

@@ -0,0 +1,20 @@
+# Create an application entitlement bound to a group
+resource "authentik_application" "name" {
+  name = "example-app"
+  slug = "example-app"
+}
+
+resource "authentik_application_entitlement" "ent" {
+  name        = "test-ent"
+  application = authentik_application.name.id
+}
+
+resource "authentik_group" "group" {
+  name = "test-ent-group"
+}
+
+resource "authentik_policy_binding" "test-ent-access" {
+  target = authentik_application.name.uuid
+  group  = authentik_group.group.id
+  order  = 0
+}

examples/resources/authentik_group/resource.tf

@@ -4,6 +4,7 @@ resource "authentik_user" "name" {
   username = "user"
   name     = "User"
 }
+
 resource "authentik_group" "group" {
   name         = "tf_admins"
   users        = [authentik_user.name.id]

internal/provider/provider.go

@@ -70,6 +70,7 @@ func Provider(version string, testing bool) *schema.Provider {
 			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
+			"authentik_application_entitlement":                    tr(resourceApplicationEntitlement),
 			"authentik_application":                                tr(resourceApplication),
 			"authentik_blueprint":                                  tr(resourceBlueprintInstance),
 			"authentik_brand":                                      tr(resourceBrand),

internal/provider/resource_application_entitlement.go

@@ -0,0 +1,121 @@
+package provider
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	api "goauthentik.io/api/v3"
+)
+
+func resourceApplicationEntitlement() *schema.Resource {
+	return &schema.Resource{
+		Description:   "Applications --- ",
+		CreateContext: resourceApplicationEntitlementCreate,
+		ReadContext:   resourceApplicationEntitlementRead,
+		UpdateContext: resourceApplicationEntitlementUpdate,
+		DeleteContext: resourceApplicationEntitlementDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"application": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"attributes": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Default:          "{}",
+				Description:      "JSON format expected. Use jsonencode() to pass objects.",
+				DiffSuppressFunc: diffSuppressJSON,
+			},
+		},
+	}
+}
+
+func resourceApplicationEntitlementSchemaToModel(d *schema.ResourceData) (*api.ApplicationEntitlementRequest, diag.Diagnostics) {
+	m := api.ApplicationEntitlementRequest{
+		Name: d.Get("name").(string),
+		App:  d.Get("application").(string),
+	}
+
+	attr := make(map[string]interface{})
+	if l, ok := d.Get("attributes").(string); ok && l != "" {
+		err := json.NewDecoder(strings.NewReader(l)).Decode(&attr)
+		if err != nil {
+			return nil, diag.FromErr(err)
+		}
+	}
+	m.Attributes = attr
+	return &m, nil
+}
+
+func resourceApplicationEntitlementCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	c := m.(*APIClient)
+
+	app, diags := resourceApplicationEntitlementSchemaToModel(d)
+	if diags != nil {
+		return diags
+	}
+
+	res, hr, err := c.client.CoreApi.CoreApplicationEntitlementsCreate(ctx).ApplicationEntitlementRequest(*app).Execute()
+	if err != nil {
+		return httpToDiag(d, hr, err)
+	}
+
+	d.SetId(res.PbmUuid)
+	return resourceApplicationEntitlementRead(ctx, d, m)
+}
+
+func resourceApplicationEntitlementRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	var diags diag.Diagnostics
+	c := m.(*APIClient)
+
+	res, hr, err := c.client.CoreApi.CoreApplicationEntitlementsRetrieve(ctx, d.Id()).Execute()
+	if err != nil {
+		return httpToDiag(d, hr, err)
+	}
+
+	d.SetId(res.PbmUuid)
+	setWrapper(d, "name", res.Name)
+	setWrapper(d, "application", res.App)
+	b, err := json.Marshal(res.Attributes)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	setWrapper(d, "attributes", string(b))
+	return diags
+}
+
+func resourceApplicationEntitlementUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	c := m.(*APIClient)
+
+	app, diags := resourceApplicationEntitlementSchemaToModel(d)
+	if diags != nil {
+		return diags
+	}
+
+	res, hr, err := c.client.CoreApi.CoreApplicationEntitlementsUpdate(ctx, d.Id()).ApplicationEntitlementRequest(*app).Execute()
+	if err != nil {
+		return httpToDiag(d, hr, err)
+	}
+
+	d.SetId(res.PbmUuid)
+	return resourceApplicationEntitlementRead(ctx, d, m)
+}
+
+func resourceApplicationEntitlementDelete(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	c := m.(*APIClient)
+	hr, err := c.client.CoreApi.CoreApplicationEntitlementsDestroy(ctx, d.Id()).Execute()
+	if err != nil {
+		return httpToDiag(d, hr, err)
+	}
+	return diag.Diagnostics{}
+}

internal/provider/resource_application_entitlement_test.go

@@ -0,0 +1,62 @@
+package provider
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccResourceApplicationEntitlement(t *testing.T) {
+	rName := acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
+	resource.UnitTest(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceApplicationEntitlementSimple(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("authentik_application.name", "name", rName),
+					resource.TestCheckResourceAttr("authentik_application.name", "slug", rName),
+					resource.TestCheckResourceAttr("authentik_application_entitlement.ent", "name", rName),
+				),
+			},
+			{
+				Config: testAccResourceApplicationEntitlementSimple(rName + "test"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("authentik_application.name", "name", rName+"test"),
+					resource.TestCheckResourceAttr("authentik_application.name", "slug", rName+"test"),
+					resource.TestCheckResourceAttr("authentik_application_entitlement.ent", "name", rName+"test"),
+				),
+			},
+		},
+	})
+}
+
+func testAccResourceApplicationEntitlementSimple(name string) string {
+	return fmt.Sprintf(`
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+
+data "authentik_flow" "default-provider-invalidation-flow" {
+  slug = "default-provider-invalidation-flow"
+}
+
+data "authentik_certificate_key_pair" "generated" {
+  name = "authentik Self-signed Certificate"
+}
+
+resource "authentik_application" "name" {
+  name              = "%[1]s"
+  slug              = "%[1]s"
+  meta_icon = "http://localhost/%[1]s"
+}
+
+resource "authentik_application_entitlement" "ent" {
+  name = "%[1]s"
+  application = authentik_application.name.id
+}
+`, name)
+}