Added authentik terraform

terraform/authentik/modules/oauth-provider/main.tf

@@ -0,0 +1,59 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = ">= 2023.10.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.5.0"
+    }
+  }
+}
+
+resource "random_password" "client_secret" {
+  count   = var.client_secret == null ? 1 : 0
+  length  = 40
+  special = true
+}
+
+resource "authentik_provider_oauth2" "provider" {
+  name                       = var.name
+  client_id                  = var.client_id != null ? var.client_id : random_id.client_id[0].hex
+  client_secret              = var.client_secret != null ? var.client_secret : random_password.client_secret[0].result
+  client_type                = var.client_type
+  authorization_flow         = var.authorization_flow
+  invalidation_flow          = var.invalidation_flow
+  include_claims_in_id_token = var.include_claims_in_id_token
+  
+  property_mappings         = var.property_mappings
+}
+
+resource "random_id" "client_id" {
+  count       = var.client_id == null ? 1 : 0
+  byte_length = 20
+}
+
+resource "authentik_application" "app" {
+  name                = var.app_name
+  slug                = var.app_slug
+  protocol_provider   = authentik_provider_oauth2.provider.id
+  group              = var.app_group
+  policy_engine_mode = var.policy_engine_mode
+  meta_description   = var.meta_description
+  meta_launch_url    = var.meta_launch_url
+  meta_icon          = var.meta_icon
+}
+
+resource "authentik_policy_binding" "app_access" {
+  for_each = var.access_policies
+
+  target = authentik_application.app.id
+  policy = each.value.policy_id
+  order  = each.value.order
+  
+  enabled    = lookup(each.value, "enabled", true)
+  timeout    = lookup(each.value, "timeout", 30)
+  negate     = lookup(each.value, "negate", false)
+  failure_result = lookup(each.value, "failure_result", true)
+}

terraform/authentik/modules/oauth-provider/outputs.tf

@@ -0,0 +1,30 @@
+output "provider_id" {
+  description = "ID of the OAuth2 provider"
+  value       = authentik_provider_oauth2.provider.id
+}
+
+output "application_id" {
+  description = "ID of the application"
+  value       = authentik_application.app.id
+}
+
+output "application_uuid" {
+  description = "UUID of the application"
+  value       = authentik_application.app.id
+}
+
+output "client_id" {
+  description = "OAuth2 Client ID"
+  value       = authentik_provider_oauth2.provider.client_id
+}
+
+output "client_secret" {
+  description = "OAuth2 Client Secret"
+  value       = authentik_provider_oauth2.provider.client_secret
+  sensitive   = true
+}
+
+output "application_slug" {
+  description = "Application slug"
+  value       = authentik_application.app.slug
+}

terraform/authentik/modules/oauth-provider/variables.tf

@@ -0,0 +1,138 @@
+variable "name" {
+  description = "Name of the OAuth2 provider"
+  type        = string
+}
+
+variable "app_name" {
+  description = "Name of the application"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "Slug of the application"
+  type        = string
+}
+
+variable "app_group" {
+  description = "Group for the application"
+  type        = string
+  default     = ""
+}
+
+variable "client_id" {
+  description = "OAuth2 Client ID"
+  type        = string
+  default     = null
+}
+
+variable "client_secret" {
+  description = "OAuth2 Client Secret"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
+variable "client_type" {
+  description = "OAuth2 Client type (confidential or public)"
+  type        = string
+  default     = "confidential"
+  
+  validation {
+    condition     = contains(["confidential", "public"], var.client_type)
+    error_message = "Client type must be either 'confidential' or 'public'."
+  }
+}
+
+variable "authorization_flow" {
+  description = "Authorization flow UUID"
+  type        = string
+}
+
+variable "invalidation_flow" {
+  description = "Invalidation flow UUID"
+  type        = string
+}
+
+variable "redirect_uris" {
+  description = "List of allowed redirect URIs"
+  type        = list(string)
+  default     = []
+}
+
+variable "access_code_validity" {
+  description = "Access code validity duration"
+  type        = string
+  default     = "minutes=1"
+}
+
+variable "access_token_validity" {
+  description = "Access token validity duration"
+  type        = string
+  default     = "minutes=5"
+}
+
+variable "refresh_token_validity" {
+  description = "Refresh token validity duration"
+  type        = string
+  default     = "days=30"
+}
+
+variable "include_claims_in_id_token" {
+  description = "Include claims in ID token"
+  type        = bool
+  default     = true
+}
+
+variable "signing_key" {
+  description = "Signing key UUID"
+  type        = string
+  default     = null
+}
+
+variable "property_mappings" {
+  description = "List of property mapping UUIDs"
+  type        = list(string)
+  default     = []
+}
+
+variable "policy_engine_mode" {
+  description = "Policy engine mode"
+  type        = string
+  default     = "all"
+  
+  validation {
+    condition     = contains(["all", "any"], var.policy_engine_mode)
+    error_message = "Policy engine mode must be either 'all' or 'any'."
+  }
+}
+
+variable "meta_description" {
+  description = "Application meta description"
+  type        = string
+  default     = ""
+}
+
+variable "meta_launch_url" {
+  description = "Application launch URL"
+  type        = string
+  default     = ""
+}
+
+variable "meta_icon" {
+  description = "Application icon URL"
+  type        = string
+  default     = ""
+}
+
+variable "access_policies" {
+  description = "Access policies for the application"
+  type = map(object({
+    policy_id      = string
+    order          = number
+    enabled        = optional(bool, true)
+    timeout        = optional(number, 30)
+    negate         = optional(bool, false)
+    failure_result = optional(bool, true)
+  }))
+  default = {}
+}

terraform/authentik/modules/proxy-provider/main.tf

@@ -0,0 +1,49 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = ">= 2023.10.0"
+    }
+  }
+}
+
+resource "authentik_provider_proxy" "provider" {
+  name                         = var.name
+  external_host               = var.external_host
+  internal_host               = var.internal_host
+  internal_host_ssl_validation = var.internal_host_ssl_validation
+  authorization_flow          = var.authorization_flow
+  invalidation_flow           = var.invalidation_flow
+  mode                        = var.mode
+  cookie_domain              = var.cookie_domain
+  skip_path_regex            = var.skip_path_regex
+  intercept_header_auth      = var.intercept_header_auth
+  basic_auth_enabled         = var.basic_auth_enabled
+  basic_auth_password_attribute = var.basic_auth_password_attribute
+  
+  property_mappings          = var.property_mappings
+}
+
+resource "authentik_application" "app" {
+  name                = var.app_name
+  slug                = var.app_slug
+  protocol_provider   = authentik_provider_proxy.provider.id
+  group              = var.app_group
+  policy_engine_mode = var.policy_engine_mode
+  meta_description   = var.meta_description
+  meta_launch_url    = var.meta_launch_url
+  meta_icon          = var.meta_icon
+}
+
+resource "authentik_policy_binding" "app_access" {
+  for_each = var.access_policies
+
+  target = authentik_application.app.id
+  policy = each.value.policy_id
+  order  = each.value.order
+  
+  enabled        = lookup(each.value, "enabled", true)
+  timeout        = lookup(each.value, "timeout", 30)
+  negate         = lookup(each.value, "negate", false)
+  failure_result = lookup(each.value, "failure_result", true)
+}

terraform/authentik/modules/proxy-provider/outputs.tf

@@ -0,0 +1,35 @@
+output "provider_id" {
+  description = "ID of the Proxy provider"
+  value       = authentik_provider_proxy.provider.id
+}
+
+output "application_id" {
+  description = "ID of the application"
+  value       = authentik_application.app.id
+}
+
+output "application_uuid" {
+  description = "UUID of the application"
+  value       = authentik_application.app.id
+}
+
+output "application_slug" {
+  description = "Application slug"
+  value       = authentik_application.app.slug
+}
+
+output "launch_url" {
+  description = "Application launch URL"
+  value       = authentik_application.app.meta_launch_url
+}
+
+output "external_host" {
+  description = "External host URL"
+  value       = authentik_provider_proxy.provider.external_host
+}
+
+output "internal_host" {
+  description = "Internal host URL"
+  value       = authentik_provider_proxy.provider.internal_host
+}
+

terraform/authentik/modules/proxy-provider/variables.tf

@@ -0,0 +1,145 @@
+variable "name" {
+  description = "Name of the Proxy provider"
+  type        = string
+}
+
+variable "app_name" {
+  description = "Name of the application"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "Slug of the application"
+  type        = string
+}
+
+variable "app_group" {
+  description = "Group for the application"
+  type        = string
+  default     = ""
+}
+
+variable "external_host" {
+  description = "External hostname for the proxy"
+  type        = string
+}
+
+variable "internal_host" {
+  description = "Internal hostname for the proxy"
+  type        = string
+  default     = ""
+}
+
+variable "internal_host_ssl_validation" {
+  description = "Enable SSL validation for internal host"
+  type        = bool
+  default     = true
+}
+
+variable "authorization_flow" {
+  description = "Authorization flow UUID"
+  type        = string
+}
+
+variable "invalidation_flow" {
+  description = "Invalidation flow UUID"
+  type        = string
+}
+
+variable "mode" {
+  description = "Proxy mode (proxy, forward_single, forward_domain)"
+  type        = string
+  default     = "proxy"
+  
+  validation {
+    condition     = contains(["proxy", "forward_single", "forward_domain"], var.mode)
+    error_message = "Mode must be one of: proxy, forward_single, forward_domain."
+  }
+}
+
+
+variable "cookie_domain" {
+  description = "Cookie domain for the proxy"
+  type        = string
+  default     = ""
+}
+
+
+variable "skip_path_regex" {
+  description = "Regular expression for paths to skip authentication"
+  type        = string
+  default     = ""
+}
+
+variable "intercept_header_auth" {
+  description = "Intercept header authentication"
+  type        = bool
+  default     = false
+}
+
+variable "basic_auth_enabled" {
+  description = "Enable basic authentication"
+  type        = bool
+  default     = false
+}
+
+variable "basic_auth_password_attribute" {
+  description = "Attribute for basic auth password"
+  type        = string
+  default     = ""
+}
+
+variable "basic_auth_user_attribute" {
+  description = "Attribute for basic auth username"
+  type        = string
+  default     = ""
+}
+
+variable "property_mappings" {
+  description = "List of property mapping UUIDs"
+  type        = list(string)
+  default     = []
+}
+
+variable "policy_engine_mode" {
+  description = "Policy engine mode"
+  type        = string
+  default     = "all"
+  
+  validation {
+    condition     = contains(["all", "any"], var.policy_engine_mode)
+    error_message = "Policy engine mode must be either 'all' or 'any'."
+  }
+}
+
+variable "meta_description" {
+  description = "Application meta description"
+  type        = string
+  default     = ""
+}
+
+variable "meta_launch_url" {
+  description = "Application launch URL"
+  type        = string
+  default     = ""
+}
+
+variable "meta_icon" {
+  description = "Application icon URL"
+  type        = string
+  default     = ""
+}
+
+
+variable "access_policies" {
+  description = "Access policies for the application"
+  type = map(object({
+    policy_id      = string
+    order          = number
+    enabled        = optional(bool, true)
+    timeout        = optional(number, 30)
+    negate         = optional(bool, false)
+    failure_result = optional(bool, true)
+  }))
+  default = {}
+}