| 
									
										
										
										
											2025-09-15 21:42:01 +03:00
										 |  |  | terraform { | 
					
						
							|  |  |  |   required_providers { | 
					
						
							|  |  |  |     authentik = { | 
					
						
							|  |  |  |       source  = "goauthentik/authentik" | 
					
						
							|  |  |  |       version = ">= 2023.10.0" | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     random = { | 
					
						
							|  |  |  |       source  = "hashicorp/random" | 
					
						
							|  |  |  |       version = ">= 3.5.0" | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-09-16 15:28:42 +03:00
										 |  |  | # Get all available scope mappings
 | 
					
						
							|  |  |  | data "authentik_property_mapping_provider_scope" "all_scopes" { | 
					
						
							|  |  |  |   managed_list = [ | 
					
						
							|  |  |  |     "goauthentik.io/providers/oauth2/scope-email", | 
					
						
							|  |  |  |     "goauthentik.io/providers/oauth2/scope-openid",  | 
					
						
							|  |  |  |     "goauthentik.io/providers/oauth2/scope-profile" | 
					
						
							|  |  |  |   ] | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Filter scope mappings based on requested scopes
 | 
					
						
							|  |  |  | locals { | 
					
						
							|  |  |  |   scope_name_mapping = { | 
					
						
							|  |  |  |     "openid"  = "goauthentik.io/providers/oauth2/scope-openid" | 
					
						
							|  |  |  |     "profile" = "goauthentik.io/providers/oauth2/scope-profile" | 
					
						
							|  |  |  |     "email"   = "goauthentik.io/providers/oauth2/scope-email" | 
					
						
							|  |  |  |   } | 
					
						
							|  |  |  |    | 
					
						
							|  |  |  |   selected_scope_ids = [ | 
					
						
							|  |  |  |     for scope in var.scope_mappings :  | 
					
						
							|  |  |  |       data.authentik_property_mapping_provider_scope.all_scopes.ids[index(data.authentik_property_mapping_provider_scope.all_scopes.managed_list, local.scope_name_mapping[scope])] | 
					
						
							|  |  |  |     if contains(keys(local.scope_name_mapping), scope) | 
					
						
							|  |  |  |   ] | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-09-15 21:42:01 +03:00
										 |  |  | resource "random_password" "client_secret" { | 
					
						
							|  |  |  |   count   = var.client_secret == null ? 1 : 0 | 
					
						
							|  |  |  |   length  = 40 | 
					
						
							|  |  |  |   special = true | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | resource "authentik_provider_oauth2" "provider" { | 
					
						
							|  |  |  |   name                       = var.name | 
					
						
							|  |  |  |   client_id                  = var.client_id != null ? var.client_id : random_id.client_id[0].hex | 
					
						
							|  |  |  |   client_secret              = var.client_secret != null ? var.client_secret : random_password.client_secret[0].result | 
					
						
							|  |  |  |   client_type                = var.client_type | 
					
						
							|  |  |  |   authorization_flow         = var.authorization_flow | 
					
						
							|  |  |  |   invalidation_flow          = var.invalidation_flow | 
					
						
							|  |  |  |   include_claims_in_id_token = var.include_claims_in_id_token | 
					
						
							| 
									
										
										
										
											2025-09-16 15:28:42 +03:00
										 |  |  |   access_code_validity       = var.access_code_validity | 
					
						
							|  |  |  |   access_token_validity      = var.access_token_validity | 
					
						
							|  |  |  |   refresh_token_validity     = var.refresh_token_validity | 
					
						
							|  |  |  |   signing_key                = var.signing_key | 
					
						
							| 
									
										
										
										
											2025-09-15 21:42:01 +03:00
										 |  |  |    | 
					
						
							| 
									
										
										
										
											2025-09-16 15:28:42 +03:00
										 |  |  |   allowed_redirect_uris = [ | 
					
						
							|  |  |  |     for uri in var.redirect_uris : { | 
					
						
							|  |  |  |       matching_mode = "strict" | 
					
						
							|  |  |  |       url           = uri | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |   ] | 
					
						
							|  |  |  |    | 
					
						
							|  |  |  |   property_mappings         = length(var.property_mappings) > 0 ? var.property_mappings : local.selected_scope_ids | 
					
						
							| 
									
										
										
										
											2025-09-15 21:42:01 +03:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | resource "random_id" "client_id" { | 
					
						
							|  |  |  |   count       = var.client_id == null ? 1 : 0 | 
					
						
							|  |  |  |   byte_length = 20 | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | resource "authentik_application" "app" { | 
					
						
							|  |  |  |   name                = var.app_name | 
					
						
							|  |  |  |   slug                = var.app_slug | 
					
						
							|  |  |  |   protocol_provider   = authentik_provider_oauth2.provider.id | 
					
						
							|  |  |  |   group              = var.app_group | 
					
						
							|  |  |  |   policy_engine_mode = var.policy_engine_mode | 
					
						
							|  |  |  |   meta_description   = var.meta_description | 
					
						
							|  |  |  |   meta_launch_url    = var.meta_launch_url | 
					
						
							|  |  |  |   meta_icon          = var.meta_icon | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | resource "authentik_policy_binding" "app_access" { | 
					
						
							|  |  |  |   for_each = var.access_policies | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   target = authentik_application.app.id | 
					
						
							|  |  |  |   policy = each.value.policy_id | 
					
						
							|  |  |  |   order  = each.value.order | 
					
						
							|  |  |  |    | 
					
						
							|  |  |  |   enabled    = lookup(each.value, "enabled", true) | 
					
						
							|  |  |  |   timeout    = lookup(each.value, "timeout", 30) | 
					
						
							|  |  |  |   negate     = lookup(each.value, "negate", false) | 
					
						
							|  |  |  |   failure_result = lookup(each.value, "failure_result", true) | 
					
						
							| 
									
										
										
										
											2025-09-16 15:28:42 +03:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # Binding groups to the application
 | 
					
						
							|  |  |  | resource "authentik_policy_binding" "group_bindings" { | 
					
						
							|  |  |  |   for_each = { for idx, group_id in var.access_groups : idx => group_id } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   target = authentik_application.app.uuid | 
					
						
							|  |  |  |   group  = each.value | 
					
						
							|  |  |  |   order  = 10 + each.key | 
					
						
							| 
									
										
										
										
											2025-09-15 21:42:01 +03:00
										 |  |  | } |