devops/infra/modules/fusionauth/tenant/main.tf

terraform {
  required_providers {
    fusionauth = {
      source  = "FusionAuth/fusionauth"
      version = "0.1.111"
    }
  }
}
provider "fusionauth" {
  api_key = var.fusionauth_api_key
  host    = var.fusionauth_uri
}

locals {
  issuer = var.tenant_issuer != null ? var.tenant_issuer : "${var.fusionauth_uri}/${random_uuid.tenant_id.result}"
}

resource "fusionauth_key" "oidc" {
  depends_on = [var.wait_on]

  algorithm = "RS256"
  name      = "OpenID Connect compliant RSA using SHA-256"
  length    = 2048
}

resource "fusionauth_lambda" "rbac" {
  depends_on = [var.wait_on]

  name = "RBAC"
  type = "JWTPopulate"

  body = <<EOT
function populate(jwt, user, registration) {
  jwt.roles = registration.roles;
}
   EOT
}

resource "random_uuid" "tenant_id" {}

resource "fusionauth_tenant" "main" {
  depends_on = [var.wait_on]

  name      = var.tenant_name
  tenant_id = random_uuid.tenant_id.result
  issuer    = local.issuer
  theme_id  = var.theme_id

  email_configuration {
    host = "localhost"
    port = 25
  }

  external_identifier_configuration {
    authorization_grant_id_time_to_live_in_seconds       = 30
    change_password_id_time_to_live_in_seconds           = 600
    device_code_time_to_live_in_seconds                  = 300
    email_verification_id_time_to_live_in_seconds        = 86400
    external_authentication_id_time_to_live_in_seconds   = 300
    one_time_password_time_to_live_in_seconds            = 1800
    login_intent_time_to_live_in_seconds                 = 300
    passwordless_login_time_to_live_in_seconds           = 180
    registration_verification_id_time_to_live_in_seconds = 86400
    setup_password_id_time_to_live_in_seconds            = 86400
    two_factor_id_time_to_live_in_seconds                = 300
    two_factor_one_time_code_id_time_to_live_in_seconds  = 60
    two_factor_trust_id_time_to_live_in_seconds          = 2592000

    change_password_id_generator {
      length = 32
      type   = "randomBytes"
    }
    device_user_code_id_generator {
      length = 6
      type   = "randomAlphaNumeric"
    }
    email_verification_id_generator {
      length = 32
      type   = "randomBytes"
    }
    email_verification_one_time_code_generator {
      length = 6
      type   = "randomAlphaNumeric"
    }
    passwordless_login_generator {
      length = 32
      type   = "randomBytes"
    }
    registration_verification_id_generator {
      length = 32
      type   = "randomBytes"
    }
    registration_verification_one_time_code_generator {
      length = 6
      type   = "randomAlphaNumeric"
    }
    setup_password_id_generator {
      length = 32
      type   = "randomBytes"
    }
    two_factor_one_time_code_id_generator {
      length = 6
      type   = "randomDigits"
    }
  }

  multi_factor_configuration {
    login_policy = "Enabled"
    authenticator = [
      {
        enabled = true
        type    = "TOTP"
      }
    ]
  }

  jwt_configuration {
    refresh_token_time_to_live_in_minutes                        = 43200
    refresh_token_sliding_window_maximum_time_to_live_in_minutes = 43200
    time_to_live_in_seconds                                      = 3600
    id_token_key_id                                              = fusionauth_key.oidc.key_id
    access_token_key_id                                          = fusionauth_key.oidc.key_id
  }

  login_configuration {
    require_authentication = false
  }
}

output "tenant_id" {
  value = fusionauth_tenant.main.tenant_id
}

output "issuer" {
  value = fusionauth_tenant.main.issuer
}

output "rbac_lambda_id" {
  value = fusionauth_lambda.rbac.id
}

output "installed" {
  value = true
  depends_on = [fusionauth_tenant.main]
}