Added Authentik TF code

2025-09-16 15:28:42 +03:00
parent b1183896f9
commit 4ffc42af97
15 changed files with 475 additions and 14 deletions
--- a/terraform/authentik/modules/oauth-provider/main.tf
+++ b/terraform/authentik/modules/oauth-provider/main.tf
@@ -11,6 +11,30 @@ terraform {
  }
 }

+# Get all available scope mappings
+data "authentik_property_mapping_provider_scope" "all_scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid", 
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
+}
+
+# Filter scope mappings based on requested scopes
+locals {
+  scope_name_mapping = {
+    "openid"  = "goauthentik.io/providers/oauth2/scope-openid"
+    "profile" = "goauthentik.io/providers/oauth2/scope-profile"
+    "email"   = "goauthentik.io/providers/oauth2/scope-email"
+  }
+  
+  selected_scope_ids = [
+    for scope in var.scope_mappings : 
+      data.authentik_property_mapping_provider_scope.all_scopes.ids[index(data.authentik_property_mapping_provider_scope.all_scopes.managed_list, local.scope_name_mapping[scope])]
+    if contains(keys(local.scope_name_mapping), scope)
+  ]
+}
+
 resource "random_password" "client_secret" {
  count   = var.client_secret == null ? 1 : 0
  length  = 40
@@ -25,8 +49,19 @@ resource "authentik_provider_oauth2" "provider" {
  authorization_flow         = var.authorization_flow
  invalidation_flow          = var.invalidation_flow
  include_claims_in_id_token = var.include_claims_in_id_token
+  access_code_validity       = var.access_code_validity
+  access_token_validity      = var.access_token_validity
+  refresh_token_validity     = var.refresh_token_validity
+  signing_key                = var.signing_key
  
-  property_mappings         = var.property_mappings
+  allowed_redirect_uris = [
+    for uri in var.redirect_uris : {
+      matching_mode = "strict"
+      url           = uri
+    }
+  ]
+  
+  property_mappings         = length(var.property_mappings) > 0 ? var.property_mappings : local.selected_scope_ids
 }

 resource "random_id" "client_id" {
@@ -56,4 +91,13 @@ resource "authentik_policy_binding" "app_access" {
  timeout    = lookup(each.value, "timeout", 30)
  negate     = lookup(each.value, "negate", false)
  failure_result = lookup(each.value, "failure_result", true)
+}
+
+# Binding groups to the application
+resource "authentik_policy_binding" "group_bindings" {
+  for_each = { for idx, group_id in var.access_groups : idx => group_id }
+
+  target = authentik_application.app.uuid
+  group  = each.value
+  order  = 10 + each.key
 }
--- a/terraform/authentik/modules/oauth-provider/outputs.tf
+++ b/terraform/authentik/modules/oauth-provider/outputs.tf
@@ -10,7 +10,7 @@ output "application_id" {

 output "application_uuid" {
  description = "UUID of the application"
-  value       = authentik_application.app.id
+  value       = authentik_application.app.uuid
 }

 output "client_id" {
--- a/terraform/authentik/modules/oauth-provider/variables.tf
+++ b/terraform/authentik/modules/oauth-provider/variables.tf
@@ -135,4 +135,16 @@ variable "access_policies" {
    failure_result = optional(bool, true)
  }))
  default = {}
+}
+
+variable "access_groups" {
+  description = "List of group IDs that have access to the application"
+  type        = list(string)
+  default     = []
+}
+
+variable "scope_mappings" {
+  description = "List of scope mappings for the OAuth provider"
+  type        = list(string)
+  default     = ["openid", "profile", "email"]
 }