From d71935d063a080972179ade9305206de15390cc7 Mon Sep 17 00:00:00 2001 From: "AB from home.homenet" Date: Tue, 16 Sep 2025 00:28:54 +0300 Subject: [PATCH] fmt --- terraform/authentik/.terraform.lock.hcl | 4 +- terraform/authentik/main.tf | 136 ++++++++++++------------ terraform/authentik/outputs.tf | 16 +-- terraform/authentik/providers.tf | 2 +- terraform/authentik/variables.tf | 83 ++++++++------- 5 files changed, 122 insertions(+), 119 deletions(-) diff --git a/terraform/authentik/.terraform.lock.hcl b/terraform/authentik/.terraform.lock.hcl index a41270f..ddd5e4b 100644 --- a/terraform/authentik/.terraform.lock.hcl +++ b/terraform/authentik/.terraform.lock.hcl @@ -3,9 +3,10 @@ provider "registry.terraform.io/goauthentik/authentik" { version = "2025.8.1" - constraints = ">= 2023.10.0" + constraints = ">= 2023.10.0, 2025.8.1" hashes = [ "h1:L3Fh0LyQ066laexCAeqLd+AVuSPDemwCmYgq1Bges6c=", + "h1:R3h8ADB0Kkv/aoY0AaHkBiX2/P4+GnW8sSgkN30kJfQ=", "zh:0c3f1083fd48f20ed06959401ff1459fbb5d454d81c8175b5b6d321b308c0be3", "zh:21c6d93f8d26e688da38a660d121b5624e3597c426c671289f31a17a9771abbf", "zh:301b5763ffc4c5fe47aa7e851ce0b19f71bab4fae5c81003ad81b38775e85f78", @@ -28,6 +29,7 @@ provider "registry.terraform.io/hashicorp/random" { constraints = ">= 3.5.0" hashes = [ "h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=", + "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", diff --git a/terraform/authentik/main.tf b/terraform/authentik/main.tf index 234d11f..0792886 100644 --- a/terraform/authentik/main.tf +++ b/terraform/authentik/main.tf @@ -25,7 +25,7 @@ resource "authentik_certificate_key_pair" "certificates" { name = each.value.name certificate_data = each.value.certificate_data - key_data = each.value.key_data + key_data = each.value.key_data } @@ -52,9 +52,9 @@ resource "authentik_property_mapping_provider_scope" "oidc_mappings" { if v.oidc_scope != null } - name = each.value.name - scope_name = each.value.oidc_scope - expression = each.value.expression + name = each.value.name + scope_name = each.value.oidc_scope + expression = each.value.expression } resource "authentik_property_mapping_provider_saml" "saml_mappings" { @@ -70,55 +70,55 @@ resource "authentik_property_mapping_provider_saml" "saml_mappings" { module "oauth_applications" { source = "./modules/oauth-provider" - + for_each = var.oauth_applications name = each.value.name - app_name = each.value.name - app_slug = each.value.slug - app_group = each.value.group - client_id = each.value.client_id - authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id) - invalidation_flow = data.authentik_flow.default_invalidation_flow.id - redirect_uris = each.value.redirect_uris - client_type = each.value.client_type + app_name = each.value.name + app_slug = each.value.slug + app_group = each.value.group + client_id = each.value.client_id + authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id) + invalidation_flow = data.authentik_flow.default_invalidation_flow.id + redirect_uris = each.value.redirect_uris + client_type = each.value.client_type include_claims_in_id_token = each.value.include_claims_in_id_token - access_code_validity = each.value.access_code_validity - access_token_validity = each.value.access_token_validity - refresh_token_validity = each.value.refresh_token_validity - property_mappings = each.value.property_mappings - signing_key = each.value.signing_key - policy_engine_mode = each.value.policy_engine_mode - meta_description = each.value.meta_description - meta_launch_url = each.value.meta_launch_url - meta_icon = each.value.meta_icon + access_code_validity = each.value.access_code_validity + access_token_validity = each.value.access_token_validity + refresh_token_validity = each.value.refresh_token_validity + property_mappings = each.value.property_mappings + signing_key = each.value.signing_key + policy_engine_mode = each.value.policy_engine_mode + meta_description = each.value.meta_description + meta_launch_url = each.value.meta_launch_url + meta_icon = each.value.meta_icon } module "proxy_applications" { source = "./modules/proxy-provider" - + for_each = var.proxy_applications - name = each.value.name - app_name = each.value.name - app_slug = each.value.slug - app_group = each.value.group - external_host = each.value.external_host - internal_host = each.value.internal_host - internal_host_ssl_validation = each.value.internal_host_ssl_validation - authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id) - invalidation_flow = data.authentik_flow.default_invalidation_flow.id - mode = each.value.mode - intercept_header_auth = each.value.intercept_header_auth - basic_auth_enabled = each.value.basic_auth_enabled - basic_auth_user_attribute = each.value.basic_auth_username_attribute + name = each.value.name + app_name = each.value.name + app_slug = each.value.slug + app_group = each.value.group + external_host = each.value.external_host + internal_host = each.value.internal_host + internal_host_ssl_validation = each.value.internal_host_ssl_validation + authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id) + invalidation_flow = data.authentik_flow.default_invalidation_flow.id + mode = each.value.mode + intercept_header_auth = each.value.intercept_header_auth + basic_auth_enabled = each.value.basic_auth_enabled + basic_auth_user_attribute = each.value.basic_auth_username_attribute basic_auth_password_attribute = each.value.basic_auth_password_attribute - cookie_domain = each.value.cookie_domain - skip_path_regex = each.value.skip_path_regex - policy_engine_mode = each.value.policy_engine_mode - meta_description = each.value.meta_description - meta_launch_url = each.value.meta_launch_url - meta_icon = each.value.meta_icon + cookie_domain = each.value.cookie_domain + skip_path_regex = each.value.skip_path_regex + policy_engine_mode = each.value.policy_engine_mode + meta_description = each.value.meta_description + meta_launch_url = each.value.meta_launch_url + meta_icon = each.value.meta_icon } locals { @@ -126,18 +126,18 @@ locals { for app_key, app in var.oauth_applications : app_key => app.outpost if app.outpost != null } - + proxy_outpost_assignments = { for app_key, app in var.proxy_applications : app_key => app.outpost if app.outpost != null } - + outpost_providers = { for outpost_key, outpost in var.outposts : outpost_key => concat( - [for app_key, app_outpost in local.oauth_outpost_assignments : - module.oauth_applications[app_key].provider_id if app_outpost == outpost_key], - [for app_key, app_outpost in local.proxy_outpost_assignments : - module.proxy_applications[app_key].provider_id if app_outpost == outpost_key] + [for app_key, app_outpost in local.oauth_outpost_assignments : + module.oauth_applications[app_key].provider_id if app_outpost == outpost_key], + [for app_key, app_outpost in local.proxy_outpost_assignments : + module.proxy_applications[app_key].provider_id if app_outpost == outpost_key] ) } } @@ -153,27 +153,27 @@ resource "authentik_outpost" "outposts" { protocol_providers = local.outpost_providers[each.key] service_connection = data.authentik_service_connection_kubernetes.local_k8s.id config = jsonencode({ - log_level = "info" - docker_labels = null - authentik_host = var.authentik_url - docker_network = null - container_image = null - docker_map_ports = true - refresh_interval = "minutes=5" - kubernetes_replicas = 1 - kubernetes_namespace = "authentik" - authentik_host_browser = "" - object_naming_template = "ak-outpost-%(name)s" - authentik_host_insecure = false - kubernetes_json_patches = null - kubernetes_service_type = "ClusterIP" - kubernetes_image_pull_secrets = [] - kubernetes_ingress_class_name = null - kubernetes_disabled_components = [] - kubernetes_ingress_annotations = {} - kubernetes_ingress_secret_name = "authentik-outpost-tls" + log_level = "info" + docker_labels = null + authentik_host = var.authentik_url + docker_network = null + container_image = null + docker_map_ports = true + refresh_interval = "minutes=5" + kubernetes_replicas = 1 + kubernetes_namespace = "authentik" + authentik_host_browser = "" + object_naming_template = "ak-outpost-%(name)s" + authentik_host_insecure = false + kubernetes_json_patches = null + kubernetes_service_type = "ClusterIP" + kubernetes_image_pull_secrets = [] + kubernetes_ingress_class_name = null + kubernetes_disabled_components = [] + kubernetes_ingress_annotations = {} + kubernetes_ingress_secret_name = "authentik-outpost-tls" }) - + depends_on = [ module.oauth_applications, module.proxy_applications diff --git a/terraform/authentik/outputs.tf b/terraform/authentik/outputs.tf index a6341c2..4c03b75 100644 --- a/terraform/authentik/outputs.tf +++ b/terraform/authentik/outputs.tf @@ -4,9 +4,9 @@ output "oauth_applications" { for k, v in module.oauth_applications : k => { application_id = v.application_id application_uuid = v.application_uuid - client_id = v.client_id - client_secret = v.client_secret - slug = v.application_slug + client_id = v.client_id + client_secret = v.client_secret + slug = v.application_slug } } sensitive = true @@ -18,9 +18,9 @@ output "proxy_applications" { for k, v in module.proxy_applications : k => { application_id = v.application_id application_uuid = v.application_uuid - external_host = v.external_host - internal_host = v.internal_host - slug = v.application_slug + external_host = v.external_host + internal_host = v.internal_host + slug = v.application_slug } } } @@ -61,8 +61,8 @@ output "certificates" { description = "Certificates details" value = { for k, v in authentik_certificate_key_pair.certificates : k => { - id = v.id - name = v.name + id = v.id + name = v.name fingerprint_sha256 = v.fingerprint_sha256 fingerprint_sha1 = v.fingerprint_sha1 } diff --git a/terraform/authentik/providers.tf b/terraform/authentik/providers.tf index 7595061..c9b58bf 100644 --- a/terraform/authentik/providers.tf +++ b/terraform/authentik/providers.tf @@ -1,7 +1,7 @@ terraform { required_providers { authentik = { - source = "goauthentik/authentik" + source = "goauthentik/authentik" version = "2025.8.1" } } diff --git a/terraform/authentik/variables.tf b/terraform/authentik/variables.tf index 9e30894..5485a4c 100644 --- a/terraform/authentik/variables.tf +++ b/terraform/authentik/variables.tf @@ -1,24 +1,24 @@ variable "oauth_applications" { description = "Map of OAuth2/OpenID applications" type = map(object({ - name = string - slug = string - group = optional(string, "") - policy_engine_mode = optional(string, "all") - meta_description = optional(string, "") - meta_launch_url = optional(string, "") - meta_icon = optional(string, "") - redirect_uris = list(string) - client_type = optional(string, "confidential") - client_id = optional(string, null) + name = string + slug = string + group = optional(string, "") + policy_engine_mode = optional(string, "all") + meta_description = optional(string, "") + meta_launch_url = optional(string, "") + meta_icon = optional(string, "") + redirect_uris = list(string) + client_type = optional(string, "confidential") + client_id = optional(string, null) include_claims_in_id_token = optional(bool, true) - access_code_validity = optional(string, "minutes=1") - access_token_validity = optional(string, "minutes=5") - refresh_token_validity = optional(string, "days=30") - property_mappings = optional(list(string), []) - authorization_flow = optional(string, null) - signing_key = optional(string, null) - outpost = optional(string, null) + access_code_validity = optional(string, "minutes=1") + access_token_validity = optional(string, "minutes=5") + refresh_token_validity = optional(string, "days=30") + property_mappings = optional(list(string), []) + authorization_flow = optional(string, null) + signing_key = optional(string, null) + outpost = optional(string, null) })) default = {} } @@ -26,25 +26,25 @@ variable "oauth_applications" { variable "proxy_applications" { description = "Map of Proxy applications" type = map(object({ - name = string - slug = string - group = optional(string, "") - policy_engine_mode = optional(string, "all") - meta_description = optional(string, "") - meta_launch_url = optional(string, "") - meta_icon = optional(string, "") - external_host = string - internal_host = optional(string, "") - internal_host_ssl_validation = optional(bool, true) - mode = optional(string, "proxy") - intercept_header_auth = optional(bool, false) - basic_auth_enabled = optional(bool, false) + name = string + slug = string + group = optional(string, "") + policy_engine_mode = optional(string, "all") + meta_description = optional(string, "") + meta_launch_url = optional(string, "") + meta_icon = optional(string, "") + external_host = string + internal_host = optional(string, "") + internal_host_ssl_validation = optional(bool, true) + mode = optional(string, "proxy") + intercept_header_auth = optional(bool, false) + basic_auth_enabled = optional(bool, false) basic_auth_username_attribute = optional(string, "") basic_auth_password_attribute = optional(string, "") - cookie_domain = optional(string, "") - authorization_flow = optional(string, null) - skip_path_regex = optional(string, "") - outpost = optional(string, null) + cookie_domain = optional(string, "") + authorization_flow = optional(string, null) + skip_path_regex = optional(string, "") + outpost = optional(string, null) })) default = {} } @@ -76,10 +76,10 @@ variable "flows" { variable "groups" { description = "Map of user groups" type = map(object({ - name = string + name = string is_superuser = optional(bool, false) - parent = optional(string, null) - attributes = optional(map(any), {}) + parent = optional(string, null) + attributes = optional(map(any), {}) })) default = {} } @@ -87,8 +87,8 @@ variable "groups" { variable "certificates" { description = "Map of certificates for HTTPS" type = map(object({ - name = string - certificate_data = string + name = string + certificate_data = string key_data = string managed = optional(string, null) })) @@ -114,7 +114,7 @@ variable "default_authorization_flow" { } variable "default_authentication_flow" { - description = "Default authentication flow slug" + description = "Default authentication flow slug" type = string default = "default-authentication-flow" } @@ -134,4 +134,5 @@ variable "tags" { variable "authentik_url" { description = "Authentik URL" type = string -} \ No newline at end of file + default = "https://idm.hexor.cy" +}