From 40db3879ea3acdf13e83252d1ae9a5014769d168 Mon Sep 17 00:00:00 2001 From: Ultradesu Date: Thu, 12 Mar 2026 18:20:40 +0000 Subject: [PATCH] Update TF readmi --- terraform/authentik/README.md | 108 +++++++++++++++++++++------------- 1 file changed, 67 insertions(+), 41 deletions(-) diff --git a/terraform/authentik/README.md b/terraform/authentik/README.md index 0328d8f..ae55621 100644 --- a/terraform/authentik/README.md +++ b/terraform/authentik/README.md @@ -1,55 +1,81 @@ -# Authentik Terraform Module +# Authentik Terraform Configuration -Terraform module for managing Authentik applications with OAuth2/OpenID and Proxy providers, including automatic Outpost assignment. +Root Terraform configuration for managing Authentik SSO — applications (OAuth2/OIDC, Proxy, SAML), groups, outposts, flows, certificates, and property mappings. + +State is stored in Terraform Cloud (organization `ultradesu`, workspace `Authentik`). + +## Structure + +``` +. +├── main.tf # Resources: groups, outposts, policy bindings, module calls +├── variables.tf # Input variable definitions +├── outputs.tf # Outputs (app details, groups, flows, wiki data) +├── providers.tf # Authentik provider (goauthentik/authentik 2025.12.1) +├── state.tf # Terraform Cloud backend +├── terraform.tfvars # General settings: authentik_url, outposts, flows, tags +├── oauth2-apps.auto.tfvars # OAuth2/OIDC application definitions +├── proxy-apps.auto.tfvars # Proxy application definitions +├── groups.auto.tfvars # Group definitions +└── modules/ + ├── oauth-provider/ # OAuth2/OIDC provider + application + ├── proxy-provider/ # Proxy provider + application + └── saml-provider/ # SAML provider + application +``` ## Usage +```bash +# Set the API token +export TF_VAR_authentik_token="..." + +terraform init +terraform plan +terraform apply +``` + +All `*.auto.tfvars` files are loaded automatically — no `-var-file` flags needed. + +## Adding applications + +OAuth2/OIDC — add to `oauth2-apps.auto.tfvars`: + ```hcl -module "authentik" { - source = "./authentik" - - authentik_url = "https://auth.example.com" - authentik_token = var.authentik_token - - oauth_applications = { - "gitlab" = { - name = "GitLab OAuth" - slug = "gitlab" - redirect_uris = ["https://gitlab.example.com/users/auth/openid_connect/callback"] - } - } - - proxy_applications = { - "portainer" = { - name = "Portainer" - slug = "portainer" - external_host = "https://portainer.example.com" - internal_host = "http://portainer:9000" - outpost = "k8s-outpost" - } - } - - outposts = { - "k8s-outpost" = { - name = "Kubernetes Outpost" - type = "proxy" - service_connection = "k8s-local" - } +oauth_applications = { + "my-app" = { + name = "My App" + slug = "my-app" + group = "Tools" + redirect_uris = ["https://my-app.example.com/callback"] + create_group = true + access_groups = ["admins"] } } ``` -## Structure +Proxy — add to `proxy-apps.auto.tfvars`: -- `main.tf` - Main configuration -- `variables.tf` - Input variables -- `outputs.tf` - Output values -- `modules/oauth-provider/` - OAuth2/OIDC provider module -- `modules/proxy-provider/` - Proxy provider module -- `terraform.tfvars.example` - Configuration example +```hcl +proxy_applications = { + "my-proxy" = { + name = "My Proxy" + slug = "my-proxy" + group = "Tools" + external_host = "https://my-proxy.example.com" + internal_host = "http://my-service.namespace.svc:80" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } +} +``` + +## CI/CD + +Managed via Gitea Actions (`.gitea/workflows/authentik-apps.yaml`). Runs `terraform apply` on push to `main` when files in `terraform/authentik/` change. Also generates a wiki page with the applications list. ## Requirements - Terraform >= 1.0 -- Authentik provider >= 2023.10.0 -- Authentik API token with admin permissions \ No newline at end of file +- goauthentik/authentik provider 2025.12.1 +- Authentik API token with admin permissions