homelab/terraform/authentik/modules/oauth-provider/main.tf

terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = ">= 2023.10.0"
    }
    random = {
      source  = "hashicorp/random"
      version = ">= 3.5.0"
    }
  }
}

# Get all available scope mappings
data "authentik_property_mapping_provider_scope" "all_scopes" {
  managed_list = [
    "goauthentik.io/providers/oauth2/scope-email",
    "goauthentik.io/providers/oauth2/scope-openid", 
    "goauthentik.io/providers/oauth2/scope-profile"
  ]
}

# Filter scope mappings based on requested scopes
locals {
  scope_name_mapping = {
    "openid"  = "goauthentik.io/providers/oauth2/scope-openid"
    "profile" = "goauthentik.io/providers/oauth2/scope-profile"
    "email"   = "goauthentik.io/providers/oauth2/scope-email"
  }
  
  selected_scope_ids = [
    for scope in var.scope_mappings : 
      data.authentik_property_mapping_provider_scope.all_scopes.ids[index(data.authentik_property_mapping_provider_scope.all_scopes.managed_list, local.scope_name_mapping[scope])]
    if contains(keys(local.scope_name_mapping), scope)
  ]
}

resource "random_password" "client_secret" {
  count   = var.client_secret == null ? 1 : 0
  length  = 40
  special = true
}

resource "authentik_provider_oauth2" "provider" {
  name                       = var.name
  client_id                  = var.client_id != null ? var.client_id : random_id.client_id[0].hex
  client_secret              = var.client_secret != null ? var.client_secret : random_password.client_secret[0].result
  client_type                = var.client_type
  authorization_flow         = var.authorization_flow
  invalidation_flow          = var.invalidation_flow
  include_claims_in_id_token = var.include_claims_in_id_token
  access_code_validity       = var.access_code_validity
  access_token_validity      = var.access_token_validity
  refresh_token_validity     = var.refresh_token_validity
  signing_key                = var.signing_key
  
  allowed_redirect_uris = [
    for uri in var.redirect_uris : {
      matching_mode = "strict"
      url           = uri
    }
  ]
  
  property_mappings         = length(var.property_mappings) > 0 ? var.property_mappings : local.selected_scope_ids
}

resource "random_id" "client_id" {
  count       = var.client_id == null ? 1 : 0
  byte_length = 20
}

resource "authentik_application" "app" {
  name                = var.app_name
  slug                = var.app_slug
  protocol_provider   = authentik_provider_oauth2.provider.id
  group              = var.app_group
  policy_engine_mode = var.policy_engine_mode
  meta_description   = var.meta_description
  meta_launch_url    = var.meta_launch_url
  meta_icon          = var.meta_icon
}

resource "authentik_policy_binding" "app_access" {
  for_each = var.access_policies

  target = authentik_application.app.id
  policy = each.value.policy_id
  order  = each.value.order
  
  enabled    = lookup(each.value, "enabled", true)
  timeout    = lookup(each.value, "timeout", 30)
  negate     = lookup(each.value, "negate", false)
  failure_result = lookup(each.value, "failure_result", true)
}

# Binding groups to the application
resource "authentik_policy_binding" "group_bindings" {
  for_each = { for idx, group_id in var.access_groups : idx => group_id }

  target = authentik_application.app.uuid
  group  = each.value
  order  = 10 + each.key
}
Added authentik terraform 2025-09-15 21:42:01 +03:00			`terraform {`
			`required_providers {`
			`authentik = {`
			`source = "goauthentik/authentik"`
			`version = ">= 2023.10.0"`
			`}`
			`random = {`
			`source = "hashicorp/random"`
			`version = ">= 3.5.0"`
			`}`
			`}`
			`}`

Added Authentik TF code 2025-09-16 15:28:42 +03:00			`# Get all available scope mappings`
			`data "authentik_property_mapping_provider_scope" "all_scopes" {`
			`managed_list = [`
			`"goauthentik.io/providers/oauth2/scope-email",`
			`"goauthentik.io/providers/oauth2/scope-openid",`
			`"goauthentik.io/providers/oauth2/scope-profile"`
			`]`
			`}`

			`# Filter scope mappings based on requested scopes`
			`locals {`
			`scope_name_mapping = {`
			`"openid" = "goauthentik.io/providers/oauth2/scope-openid"`
			`"profile" = "goauthentik.io/providers/oauth2/scope-profile"`
			`"email" = "goauthentik.io/providers/oauth2/scope-email"`
			`}`

			`selected_scope_ids = [`
			`for scope in var.scope_mappings :`
			`data.authentik_property_mapping_provider_scope.all_scopes.ids[index(data.authentik_property_mapping_provider_scope.all_scopes.managed_list, local.scope_name_mapping[scope])]`
			`if contains(keys(local.scope_name_mapping), scope)`
			`]`
			`}`

Added authentik terraform 2025-09-15 21:42:01 +03:00			`resource "random_password" "client_secret" {`
			`count = var.client_secret == null ? 1 : 0`
			`length = 40`
			`special = true`
			`}`

			`resource "authentik_provider_oauth2" "provider" {`
			`name = var.name`
			`client_id = var.client_id != null ? var.client_id : random_id.client_id[0].hex`
			`client_secret = var.client_secret != null ? var.client_secret : random_password.client_secret[0].result`
			`client_type = var.client_type`
			`authorization_flow = var.authorization_flow`
			`invalidation_flow = var.invalidation_flow`
			`include_claims_in_id_token = var.include_claims_in_id_token`
Added Authentik TF code 2025-09-16 15:28:42 +03:00			`access_code_validity = var.access_code_validity`
			`access_token_validity = var.access_token_validity`
			`refresh_token_validity = var.refresh_token_validity`
			`signing_key = var.signing_key`
Added authentik terraform 2025-09-15 21:42:01 +03:00
Added Authentik TF code 2025-09-16 15:28:42 +03:00			`allowed_redirect_uris = [`
			`for uri in var.redirect_uris : {`
			`matching_mode = "strict"`
			`url = uri`
			`}`
			`]`

			`property_mappings = length(var.property_mappings) > 0 ? var.property_mappings : local.selected_scope_ids`
Added authentik terraform 2025-09-15 21:42:01 +03:00			`}`

			`resource "random_id" "client_id" {`
			`count = var.client_id == null ? 1 : 0`
			`byte_length = 20`
			`}`

			`resource "authentik_application" "app" {`
			`name = var.app_name`
			`slug = var.app_slug`
			`protocol_provider = authentik_provider_oauth2.provider.id`
			`group = var.app_group`
			`policy_engine_mode = var.policy_engine_mode`
			`meta_description = var.meta_description`
			`meta_launch_url = var.meta_launch_url`
			`meta_icon = var.meta_icon`
			`}`

			`resource "authentik_policy_binding" "app_access" {`
			`for_each = var.access_policies`

			`target = authentik_application.app.id`
			`policy = each.value.policy_id`
			`order = each.value.order`

			`enabled = lookup(each.value, "enabled", true)`
			`timeout = lookup(each.value, "timeout", 30)`
			`negate = lookup(each.value, "negate", false)`
			`failure_result = lookup(each.value, "failure_result", true)`
Added Authentik TF code 2025-09-16 15:28:42 +03:00			`}`

			`# Binding groups to the application`
			`resource "authentik_policy_binding" "group_bindings" {`
			`for_each = { for idx, group_id in var.access_groups : idx => group_id }`

			`target = authentik_application.app.uuid`
			`group = each.value`
			`order = 10 + each.key`
Added authentik terraform 2025-09-15 21:42:01 +03:00			`}`