Added Authentik TF code

terraform/authentik/modules/oauth-provider/main.tf

@@ -11,6 +11,30 @@ terraform {
   }
 }
 
+# Get all available scope mappings
+data "authentik_property_mapping_provider_scope" "all_scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid", 
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
+}
+
+# Filter scope mappings based on requested scopes
+locals {
+  scope_name_mapping = {
+    "openid"  = "goauthentik.io/providers/oauth2/scope-openid"
+    "profile" = "goauthentik.io/providers/oauth2/scope-profile"
+    "email"   = "goauthentik.io/providers/oauth2/scope-email"
+  }
+  
+  selected_scope_ids = [
+    for scope in var.scope_mappings : 
+      data.authentik_property_mapping_provider_scope.all_scopes.ids[index(data.authentik_property_mapping_provider_scope.all_scopes.managed_list, local.scope_name_mapping[scope])]
+    if contains(keys(local.scope_name_mapping), scope)
+  ]
+}
+
 resource "random_password" "client_secret" {
   count   = var.client_secret == null ? 1 : 0
   length  = 40
@@ -25,8 +49,19 @@ resource "authentik_provider_oauth2" "provider" {
   authorization_flow         = var.authorization_flow
   invalidation_flow          = var.invalidation_flow
   include_claims_in_id_token = var.include_claims_in_id_token
+  access_code_validity       = var.access_code_validity
+  access_token_validity      = var.access_token_validity
+  refresh_token_validity     = var.refresh_token_validity
+  signing_key                = var.signing_key
   
-  property_mappings         = var.property_mappings
+  allowed_redirect_uris = [
+    for uri in var.redirect_uris : {
+      matching_mode = "strict"
+      url           = uri
+    }
+  ]
+  
+  property_mappings         = length(var.property_mappings) > 0 ? var.property_mappings : local.selected_scope_ids
 }
 
 resource "random_id" "client_id" {
@@ -56,4 +91,13 @@ resource "authentik_policy_binding" "app_access" {
   timeout    = lookup(each.value, "timeout", 30)
   negate     = lookup(each.value, "negate", false)
   failure_result = lookup(each.value, "failure_result", true)
+}
+
+# Binding groups to the application
+resource "authentik_policy_binding" "group_bindings" {
+  for_each = { for idx, group_id in var.access_groups : idx => group_id }
+
+  target = authentik_application.app.uuid
+  group  = each.value
+  order  = 10 + each.key
 }

terraform/authentik/modules/oauth-provider/outputs.tf

@@ -10,7 +10,7 @@ output "application_id" {
 
 output "application_uuid" {
   description = "UUID of the application"
-  value       = authentik_application.app.id
+  value       = authentik_application.app.uuid
 }
 
 output "client_id" {

terraform/authentik/modules/oauth-provider/variables.tf

@@ -135,4 +135,16 @@ variable "access_policies" {
     failure_result = optional(bool, true)
   }))
   default = {}
+}
+
+variable "access_groups" {
+  description = "List of group IDs that have access to the application"
+  type        = list(string)
+  default     = []
+}
+
+variable "scope_mappings" {
+  description = "List of scope mappings for the OAuth provider"
+  type        = list(string)
+  default     = ["openid", "profile", "email"]
 }

terraform/authentik/modules/proxy-provider/main.tf

@@ -46,4 +46,13 @@ resource "authentik_policy_binding" "app_access" {
   timeout        = lookup(each.value, "timeout", 30)
   negate         = lookup(each.value, "negate", false)
   failure_result = lookup(each.value, "failure_result", true)
+}
+
+# Binding groups to the application
+resource "authentik_policy_binding" "group_bindings" {
+  for_each = { for idx, group_id in var.access_groups : idx => group_id }
+
+  target = authentik_application.app.uuid
+  group  = each.value
+  order  = 10 + each.key
 }

terraform/authentik/modules/proxy-provider/outputs.tf

@@ -10,7 +10,7 @@ output "application_id" {
 
 output "application_uuid" {
   description = "UUID of the application"
-  value       = authentik_application.app.id
+  value       = authentik_application.app.uuid
 }
 
 output "application_slug" {

terraform/authentik/modules/proxy-provider/variables.tf

@@ -142,4 +142,10 @@ variable "access_policies" {
     failure_result = optional(bool, true)
   }))
   default = {}
+}
+
+variable "access_groups" {
+  description = "List of group IDs that have access to the application"
+  type        = list(string)
+  default     = []
 }

terraform/authentik/modules/saml-provider/main.tf

@@ -0,0 +1,53 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = ">= 2023.10.0"
+    }
+  }
+}
+
+data "authentik_certificate_key_pair" "default" {
+  name = "authentik Self-signed Certificate"
+}
+
+resource "authentik_provider_saml" "provider" {
+  name               = var.name
+  authorization_flow = var.authorization_flow
+  invalidation_flow  = var.invalidation_flow
+  acs_url            = var.acs_url
+  issuer             = var.issuer
+  audience           = var.audience
+  sp_binding         = var.sp_binding
+  signing_kp         = var.signing_key != null ? var.signing_key : data.authentik_certificate_key_pair.default.id
+  property_mappings  = var.property_mappings
+  name_id_mapping    = var.name_id_mapping
+  
+  assertion_valid_not_before = var.assertion_valid_not_before
+  assertion_valid_not_on_or_after = var.assertion_valid_not_on_or_after
+  session_valid_not_on_or_after = var.session_valid_not_on_or_after
+}
+
+resource "authentik_application" "app" {
+  name                = var.app_name
+  slug                = var.app_slug
+  protocol_provider   = authentik_provider_saml.provider.id
+  group              = var.app_group
+  policy_engine_mode = var.policy_engine_mode
+  meta_description   = var.meta_description
+  meta_launch_url    = var.meta_launch_url
+  meta_icon          = var.meta_icon
+}
+
+resource "authentik_policy_binding" "app_access" {
+  for_each = var.access_policies
+
+  target = authentik_application.app.id
+  policy = each.value.policy_id
+  order  = each.value.order
+  
+  enabled    = lookup(each.value, "enabled", true)
+  timeout    = lookup(each.value, "timeout", 30)
+  negate     = lookup(each.value, "negate", false)
+  failure_result = lookup(each.value, "failure_result", true)
+}

terraform/authentik/modules/saml-provider/outputs.tf

@@ -0,0 +1,24 @@
+output "provider_id" {
+  description = "ID of the SAML provider"
+  value       = authentik_provider_saml.provider.id
+}
+
+output "application_id" {
+  description = "ID of the application"
+  value       = authentik_application.app.id
+}
+
+output "provider_name" {
+  description = "Name of the SAML provider"
+  value       = authentik_provider_saml.provider.name
+}
+
+output "acs_url" {
+  description = "Assertion Consumer Service URL"
+  value       = authentik_provider_saml.provider.acs_url
+}
+
+output "issuer" {
+  description = "SAML Issuer"
+  value       = authentik_provider_saml.provider.issuer
+}

terraform/authentik/modules/saml-provider/variables.tf

@@ -0,0 +1,124 @@
+variable "name" {
+  description = "Name of the SAML provider"
+  type        = string
+}
+
+variable "app_name" {
+  description = "Name of the application"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "Slug of the application"
+  type        = string
+}
+
+variable "app_group" {
+  description = "Group of the application"
+  type        = string
+  default     = ""
+}
+
+variable "authorization_flow" {
+  description = "Authorization flow ID"
+  type        = string
+}
+
+variable "invalidation_flow" {
+  description = "Invalidation flow ID"
+  type        = string
+}
+
+variable "acs_url" {
+  description = "Assertion Consumer Service URL"
+  type        = string
+}
+
+variable "issuer" {
+  description = "SAML Issuer"
+  type        = string
+}
+
+variable "audience" {
+  description = "SAML Audience"
+  type        = string
+}
+
+variable "sp_binding" {
+  description = "Service Provider binding (post or redirect)"
+  type        = string
+  default     = "post"
+}
+
+variable "signing_key" {
+  description = "Certificate key pair ID for signing"
+  type        = string
+  default     = null
+}
+
+variable "property_mappings" {
+  description = "List of property mapping IDs"
+  type        = list(string)
+  default     = []
+}
+
+variable "name_id_mapping" {
+  description = "Property mapping ID for NameID"
+  type        = string
+  default     = null
+}
+
+variable "assertion_valid_not_before" {
+  description = "Assertion valid not before"
+  type        = string
+  default     = "minutes=-5"
+}
+
+variable "assertion_valid_not_on_or_after" {
+  description = "Assertion valid not on or after"
+  type        = string
+  default     = "minutes=5"
+}
+
+variable "session_valid_not_on_or_after" {
+  description = "Session valid not on or after"
+  type        = string
+  default     = "minutes=86400"
+}
+
+variable "policy_engine_mode" {
+  description = "Policy engine mode"
+  type        = string
+  default     = "all"
+}
+
+variable "meta_description" {
+  description = "Application description"
+  type        = string
+  default     = ""
+}
+
+variable "meta_launch_url" {
+  description = "Application launch URL"
+  type        = string
+  default     = ""
+}
+
+variable "meta_icon" {
+  description = "Application icon URL"
+  type        = string
+  default     = ""
+}
+
+variable "access_policies" {
+  description = "Access policies for the application"
+  type = map(object({
+    policy_id      = string
+    order          = number
+    enabled        = optional(bool, true)
+    timeout        = optional(number, 30)
+    negate         = optional(bool, false)
+    failure_result = optional(bool, true)
+  }))
+  default = {}
+}