homelab/terraform/authentik/modules/saml-provider/main.tf

terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = ">= 2023.10.0"
    }
  }
}

data "authentik_certificate_key_pair" "default" {
  name = "authentik Self-signed Certificate"
}

resource "authentik_provider_saml" "provider" {
  name               = var.name
  authorization_flow = var.authorization_flow
  invalidation_flow  = var.invalidation_flow
  acs_url            = var.acs_url
  issuer             = var.issuer
  audience           = var.audience
  sp_binding         = var.sp_binding
  signing_kp         = var.signing_key != null ? var.signing_key : data.authentik_certificate_key_pair.default.id
  property_mappings  = var.property_mappings
  name_id_mapping    = var.name_id_mapping
  
  assertion_valid_not_before = var.assertion_valid_not_before
  assertion_valid_not_on_or_after = var.assertion_valid_not_on_or_after
  session_valid_not_on_or_after = var.session_valid_not_on_or_after
}

resource "authentik_application" "app" {
  name                = var.app_name
  slug                = var.app_slug
  protocol_provider   = authentik_provider_saml.provider.id
  group              = var.app_group
  policy_engine_mode = var.policy_engine_mode
  meta_description   = var.meta_description
  meta_launch_url    = var.meta_launch_url
  meta_icon          = var.meta_icon
}

resource "authentik_policy_binding" "app_access" {
  for_each = var.access_policies

  target = authentik_application.app.id
  policy = each.value.policy_id
  order  = each.value.order
  
  enabled    = lookup(each.value, "enabled", true)
  timeout    = lookup(each.value, "timeout", 30)
  negate     = lookup(each.value, "negate", false)
  failure_result = lookup(each.value, "failure_result", true)
}
Added Authentik TF code 2025-09-16 15:28:42 +03:00			`terraform {`
			`required_providers {`
			`authentik = {`
			`source = "goauthentik/authentik"`
			`version = ">= 2023.10.0"`
			`}`
			`}`
			`}`

			`data "authentik_certificate_key_pair" "default" {`
			`name = "authentik Self-signed Certificate"`
			`}`

			`resource "authentik_provider_saml" "provider" {`
			`name = var.name`
			`authorization_flow = var.authorization_flow`
			`invalidation_flow = var.invalidation_flow`
			`acs_url = var.acs_url`
			`issuer = var.issuer`
			`audience = var.audience`
			`sp_binding = var.sp_binding`
			`signing_kp = var.signing_key != null ? var.signing_key : data.authentik_certificate_key_pair.default.id`
			`property_mappings = var.property_mappings`
			`name_id_mapping = var.name_id_mapping`

			`assertion_valid_not_before = var.assertion_valid_not_before`
			`assertion_valid_not_on_or_after = var.assertion_valid_not_on_or_after`
			`session_valid_not_on_or_after = var.session_valid_not_on_or_after`
			`}`

			`resource "authentik_application" "app" {`
			`name = var.app_name`
			`slug = var.app_slug`
			`protocol_provider = authentik_provider_saml.provider.id`
			`group = var.app_group`
			`policy_engine_mode = var.policy_engine_mode`
			`meta_description = var.meta_description`
			`meta_launch_url = var.meta_launch_url`
			`meta_icon = var.meta_icon`
			`}`

			`resource "authentik_policy_binding" "app_access" {`
			`for_each = var.access_policies`

			`target = authentik_application.app.id`
			`policy = each.value.policy_id`
			`order = each.value.order`

			`enabled = lookup(each.value, "enabled", true)`
			`timeout = lookup(each.value, "timeout", 30)`
			`negate = lookup(each.value, "negate", false)`
			`failure_result = lookup(each.value, "failure_result", true)`
			`}`