Add data source policy

[l-with]

useful to rebuild default flows with dedicated changes

[codecov]

Codecov Report

❌ Patch coverage is 92.59259% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.69%. Comparing base (19e6a19) to head (9157fc7).
⚠️ Report is 374 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/provider/data_source_policy.go	92.30%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #546      +/-   ##
==========================================
- Coverage   83.81%   83.69%   -0.13%     
==========================================
  Files          95       96       +1     
  Lines        9103     9130      +27     
==========================================
+ Hits         7630     7641      +11     
- Misses       1047     1055       +8     
- Partials      426      434       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[rissson]

Instead of a single authentik_policy datasource, I'd probably go with one for each type of policies, so authentik_policy_expression, authentik_policies_dummy, authentik_policies_geoip, authentik_policies_reputation, authentik_policies_expiry and so on.

[l-with]

@rissson
By "useful to rebuild default flows with dedicated changes" I mean the possibility to replace the following code (copying python code from an existing policy)

resource "authentik_policy_expression" "authentication-flow-password-stage" {
  expression = <<EOT
  flow_plan = request.context.get("flow_plan")
if not flow_plan:
    return True
# If the user does not have a backend attached to it, they haven't
# been authenticated yet and we need the password stage
return not hasattr(flow_plan.context.get("pending_user"), "backend")
EOT
  name       = "authentication-flow-password-stage"
}

resource "authentik_policy_binding" "my-default-authentication-password_" {
  policy = authentik_policy_expression.authentication-flow-password-stage.id
  target = authentik_flow_stage_binding.my-default-authentication-password.id
  order  = 10
}

by this one (use the id of a data source)

data "authentik_policy" "default-authentication-flow-password-stage" {
  name = "default-authentication-flow-password-stage"
}

resource "authentik_policy_binding" "my-default-authentication-password_" {
  policy = data.authentik_policy.authentication-flow-password-stage.id
  target = authentik_flow_stage_binding.my-default-authentication-password.id
  order  = 10
}

This is much smarter and needs only the id.
For retrieving the id of a policy a generic data source is sufficient.

This is the same as when using the data source stage for flow bindings which works nicely.

[mentos1386]

+1 for this to be added.

Currently we must create multiple (same) policies instead of re-using single one. Which is a bad practice (?).

What i would want follows close to the previous comment:

data "authentik_flow" "default-authorization-flow" {
  slug = "default-provider-authorization-implicit-consent"
}

resource "authentik_provider_oauth2" "name" {
  name               = "postgresql.foo.bar"
  client_id          = "postgresql-foo-bar"
  authorization_flow = data.authentik_flow.default-authorization-flow.id
}

data "authentik_policy" "only-members-of-admin-group" {
  name = "only-members-of-admin-group"
}

resource "authentik_policy_binding" "app-access" {
  target = data.authentik_application.only-members-of-admin-group.uuid
  policy = authentik_policy_expression.policy.id
  order  = 0
}

resource "authentik_application" "name" {
  name              = "postgresql.foo.bar"
  slug              = "postgresql-foo-bar"
  group             = "Administration"
  protocol_provider = authentik_provider_oauth2.name.id
}

[severin]

+1 on this!

Currently I use an ugly workaround where I define a local variable with the identifier and use it to reference an existing policy:

locals {
  default_source_enrollment_if_sso_policy = {
    id = "12345678-1234-1234-1234-123456789012"
  }
}

resource "authentik_policy_binding" "flow_if_sso" {
  target  = authentik_flow.some_enrollment_flow.uuid
  policy  = locals.default_source_enrollment_if_sso_policy.id
}