ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

Added authentik terraform

Browse Source
This commit is contained in:
AB
2025-09-15 21:42:01 +03:00
parent 9b7f953bd3
commit 00cbd8830b
13 changed files with 971 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
terraform/authentik/modules/proxy-provider/main.tf Normal file
View File

@@ -0,0 +1,49 @@
terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = ">= 2023.10.0"
}
}
}
resource "authentik_provider_proxy" "provider" {
name = var.name
external_host = var.external_host
internal_host = var.internal_host
internal_host_ssl_validation = var.internal_host_ssl_validation
authorization_flow = var.authorization_flow
invalidation_flow = var.invalidation_flow
mode = var.mode
cookie_domain = var.cookie_domain
skip_path_regex = var.skip_path_regex
intercept_header_auth = var.intercept_header_auth
basic_auth_enabled = var.basic_auth_enabled
basic_auth_password_attribute = var.basic_auth_password_attribute
property_mappings = var.property_mappings
}
resource "authentik_application" "app" {
name = var.app_name
slug = var.app_slug
protocol_provider = authentik_provider_proxy.provider.id
group = var.app_group
policy_engine_mode = var.policy_engine_mode
meta_description = var.meta_description
meta_launch_url = var.meta_launch_url
meta_icon = var.meta_icon
}
resource "authentik_policy_binding" "app_access" {
for_each = var.access_policies
target = authentik_application.app.id
policy = each.value.policy_id
order = each.value.order
enabled = lookup(each.value, "enabled", true)
timeout = lookup(each.value, "timeout", 30)
negate = lookup(each.value, "negate", false)
failure_result = lookup(each.value, "failure_result", true)
}

35
terraform/authentik/modules/proxy-provider/outputs.tf Normal file
View File

@@ -0,0 +1,35 @@
output "provider_id" {
description = "ID of the Proxy provider"
value = authentik_provider_proxy.provider.id
}
output "application_id" {
description = "ID of the application"
value = authentik_application.app.id
}
output "application_uuid" {
description = "UUID of the application"
value = authentik_application.app.id
}
output "application_slug" {
description = "Application slug"
value = authentik_application.app.slug
}
output "launch_url" {
description = "Application launch URL"
value = authentik_application.app.meta_launch_url
}
output "external_host" {
description = "External host URL"
value = authentik_provider_proxy.provider.external_host
}
output "internal_host" {
description = "Internal host URL"
value = authentik_provider_proxy.provider.internal_host
}

145
terraform/authentik/modules/proxy-provider/variables.tf Normal file
View File

@@ -0,0 +1,145 @@
variable "name" {
description = "Name of the Proxy provider"
type = string
}
variable "app_name" {
description = "Name of the application"
type = string
}
variable "app_slug" {
description = "Slug of the application"
type = string
}
variable "app_group" {
description = "Group for the application"
type = string
default = ""
}
variable "external_host" {
description = "External hostname for the proxy"
type = string
}
variable "internal_host" {
description = "Internal hostname for the proxy"
type = string
default = ""
}
variable "internal_host_ssl_validation" {
description = "Enable SSL validation for internal host"
type = bool
default = true
}
variable "authorization_flow" {
description = "Authorization flow UUID"
type = string
}
variable "invalidation_flow" {
description = "Invalidation flow UUID"
type = string
}
variable "mode" {
description = "Proxy mode (proxy, forward_single, forward_domain)"
type = string
default = "proxy"
validation {
condition = contains(["proxy", "forward_single", "forward_domain"], var.mode)
error_message = "Mode must be one of: proxy, forward_single, forward_domain."
}
}
variable "cookie_domain" {
description = "Cookie domain for the proxy"
type = string
default = ""
}
variable "skip_path_regex" {
description = "Regular expression for paths to skip authentication"
type = string
default = ""
}
variable "intercept_header_auth" {
description = "Intercept header authentication"
type = bool
default = false
}
variable "basic_auth_enabled" {
description = "Enable basic authentication"
type = bool
default = false
}
variable "basic_auth_password_attribute" {
description = "Attribute for basic auth password"
type = string
default = ""
}
variable "basic_auth_user_attribute" {
description = "Attribute for basic auth username"
type = string
default = ""
}
variable "property_mappings" {
description = "List of property mapping UUIDs"
type = list(string)
default = []
}
variable "policy_engine_mode" {
description = "Policy engine mode"
type = string
default = "all"
validation {
condition = contains(["all", "any"], var.policy_engine_mode)
error_message = "Policy engine mode must be either 'all' or 'any'."
}
}
variable "meta_description" {
description = "Application meta description"
type = string
default = ""
}
variable "meta_launch_url" {
description = "Application launch URL"
type = string
default = ""
}
variable "meta_icon" {
description = "Application icon URL"
type = string
default = ""
}
variable "access_policies" {
description = "Access policies for the application"
type = map(object({
policy_id = string
order = number
enabled = optional(bool, true)
timeout = optional(number, 30)
negate = optional(bool, false)
failure_result = optional(bool, true)
}))
default = {}
}