From 27d1b8434b390437b1aa52785f362576fadf2d8b Mon Sep 17 00:00:00 2001
From: Daniel Ankers <dankers@domicilium.com>
Date: Mon, 16 Oct 2023 09:24:15 +0100
Subject: [PATCH] Move Guacamole setup to Helm

---
 main.tf | 110 +++++++++++++++++++++++++++++++++++++++++---------------
 vars.tf |   4 +++
 2 files changed, 85 insertions(+), 29 deletions(-)

diff --git a/main.tf b/main.tf
index 0a0b667..fa177d6 100644
--- a/main.tf
+++ b/main.tf
@@ -16,11 +16,6 @@ terraform {
       source = "telmate/proxmox"
       version = "~> 2.9.8"
     }
-    guacamole = {
-      source = "techBeck03/guacamole"
-      version = "~> 1.4.1"
-    }
-    
   }
   backend "kubernetes" {
     secret_suffix    = "tfstate"
@@ -45,12 +40,6 @@ provider "keycloak" {
   url = "https://keycloak.${var.domain_suffix}"
 }
 
-provider "guacamole" {
-  url = "https://guacamole.${var.domain_suffix}/guacamole"
-  token = var.guacamole_token
-  data_source = var.guacamole_datasource
-}
-
 provider "proxmox" {
   pm_api_url = var.proxmox_api_url
   pm_api_token_id = var.proxmox_token_id
@@ -149,6 +138,87 @@ resource "helm_release" "gitea" {
   ]
 }
 
+resource "keycloak_openid_client" "guac_client" {
+  realm_id            = keycloak_realm.realm.id
+  client_id           = "guac"
+
+  enabled             = true
+
+  access_type         = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  implicit_flow_enabled = true
+  valid_redirect_uris = [
+    "https://guac.${var.domain_suffix}/*"
+  ]
+}
+
+resource "random_password" "guac_db_pw" {
+  length           = 16
+  special          = false
+}
+
+resource "random_password" "guac_db_admin_pw" {
+  length = 16
+  special = false
+}
+
+resource "helm_release" "guacpg" {
+  name = "guacpg"
+  namespace = var.guac_namespace
+  repository = "https://charts.bitnami.com/bitnami/"
+  chart = "postgresql"
+  create_namespace = true
+  values = [
+<<EOT
+global:
+  storageClass: ${var.storageclass}
+auth:
+  username: guacamole
+  password: ${random_password.guac_db_pw.result}
+  postgresPassword: ${random_password.guac_db_admin_pw.result}
+  database: guacamole
+EOT
+  ]
+}
+
+resource "helm_release" "guac" {
+  name = "guac"
+  namespace = var.guac_namespace
+  repository = "https://charts.beryju.org"
+  chart = "guacamole"
+  create_namespace = true
+  values = [
+<<EOT
+guacamole:
+  settings:
+    OPENID_AUTHORIZATION_ENDPOINT: https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/auth
+    OPENID_JWKS_ENDPOINT: https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}/protocol/openid-connect/certs
+    OPENID_ISSUER: https://keycloak.${var.domain_suffix}/realms/${var.keycloak_realm}
+    OPENID_CLIENT_ID: ${keycloak_openid_client.guac_client.client_id}
+    OPENID_REDIRECT_URI: https://guac.${var.domain_suffix}/
+ingress:
+  enabled: true
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: guac.${var.domain_suffix}
+    paths:
+    - /
+  tls:
+  - secretName: guac-tls
+    hosts:
+    - guac.${var.domain_suffix}
+postgres:
+  hostname: guacpg-postgresql
+  password: ${random_password.guac_db_pw.result}
+EOT
+  ]
+  depends_on = [
+    helm_release.guacpg
+  ]
+}
+
 resource "keycloak_openid_client" "nautobot_client" {
   realm_id = keycloak_realm.realm.id
   client_id = "nautobot"
@@ -470,21 +540,3 @@ resource "proxmox_vm_qemu" "vyos_router" {
   ${var.ssh_key}
   EOF
 }
-
-resource "guacamole_connection_group" "routers" {
-  parent_identifier = "ROOT"
-  name = "Routers"
-  type = "organizational"
-}
-
-
-resource "guacamole_connection_ssh" "vyos_vms" {
-  for_each = { for x in proxmox_vm_qemu.vyos_router: x.name => x }
-  name = each.value.name
-  parent_identifier = guacamole_connection_group.routers.identifier
-  parameters {
-    hostname = each.value.default_ipv4_address
-    username = "vyos"
-    private_key = var.ssh_private_key
-  }
-}
diff --git a/vars.tf b/vars.tf
index f52d1be..6fa91c1 100644
--- a/vars.tf
+++ b/vars.tf
@@ -58,6 +58,10 @@ variable "guacamole_datasource" {
   default = "mysql"
 }
 
+variable "guac_namespace" {
+  default = "guac"
+}
+
 variable "ssh_key" {
   default = <<-EOT
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxtXWfJ2r6vEQ481lOGSmnb7yJHyDS8qq0/8KRPr98Yri0Tn200RR/XHMAR3wR/mACoaYFoi9DOE1tR0lyUf/qYEcPnN7pRfnF5afOM51YBxlZ1n5osZ70/C23xpqML4Ru6KaYvziysZ2lWe4iNJqOJXjJcOVRnFIA2iD/UIDLZAe/6GNlam4FKn6y5qZm/bCuaQlJsc3SnZIcEQ8yuhSZVOgugZxSXFXvhOt/88HKcrgDm9XA7QXQ9GcgpJ2ZDdIlwy+Iz3cT4HcjTPpmX5yf95FfKN4EATyH2QqTarWRae2L5L5uJXTVKFllQXBw3KFaUK5oXQV35LpgtM94+77IpPFl/u6JTs9tlrnO/dIe9LoXjPphUj0GMioi9IFyOtpon5aksIuEkRLVc8JhNrTcGGsbkSSvlC6ejq7HkM6d+RnwILYqhcfXx+GevVF9a2gidRGupoLzDOYPlqMldGQKNh4ZyfMTF1cbAcDnxFNbYBMEG/mPAktJ4iwaTQqTeMs= dan@linux.fritz.box