feat: Add Portainer OAuth2 + enable RBAC policy bindings

- Add app-portainer.tf: OAuth2 provider for Portainer container management - Add portainer_url variable - Enable RBAC policy bindings for Grafana, ArgoCD, Home Assistant - Portainer bound to Infrastructure group policy RBAC Summary: - Infrastructure group → Grafana, ArgoCD, Portainer - Home Automation group → Home Assistant - Media group → arr stack (existing in app-proxy-arr-stack.tf)
2026-02-10 06:44:58 +00:00 · 2026-02-05 16:03:40 +00:00
parent 61ab2ec70c
commit d55a52a8d5
4 changed files with 88 additions and 13 deletions
--- a/rbac-groups.tf
+++ b/rbac-groups.tf
@@ -55,20 +55,31 @@ resource "authentik_policy_expression" "home_automation_access" {
 }

 # -----------------------------------------------------------------------------
-# Example: Bind policy to an application
-# Uncomment and modify for your applications
+# Application Policy Bindings
+# Restrict app access by group membership
 # -----------------------------------------------------------------------------
-# resource "authentik_policy_binding" "sonarr_media_access" {
-#   target = authentik_application.sonarr.uuid
-#   policy = authentik_policy_expression.media_access.id
-#   order  = 0
-# }
-#
-# resource "authentik_policy_binding" "grafana_infra_access" {
-#   target = authentik_application.grafana.uuid
-#   policy = authentik_policy_expression.infrastructure_access.id
-#   order  = 0
-# }
+
+# Infrastructure apps - require Infrastructure group
+resource "authentik_policy_binding" "grafana_infra_access" {
+  target = authentik_application.grafana.uuid
+  policy = authentik_policy_expression.infrastructure_access.id
+  order  = 0
+}
+
+resource "authentik_policy_binding" "argocd_infra_access" {
+  target = authentik_application.argocd.uuid
+  policy = authentik_policy_expression.infrastructure_access.id
+  order  = 0
+}
+
+# Home Automation apps
+resource "authentik_policy_binding" "homeassistant_access" {
+  target = authentik_application.home_assistant.uuid
+  policy = authentik_policy_expression.home_automation_access.id
+  order  = 0
+}
+
+# Media apps - require Media group (handled in app-proxy-arr-stack.tf)

 # -----------------------------------------------------------------------------
 # Outputs