This commit is contained in:
AB from home.homenet
4
terraform/authentik/.terraform.lock.hcl
generated
4
terraform/authentik/.terraform.lock.hcl
generated
@@ -3,9 +3,10 @@
|
|||||||
|
|
||||||
provider "registry.terraform.io/goauthentik/authentik" {
|
provider "registry.terraform.io/goauthentik/authentik" {
|
||||||
version = "2025.8.1"
|
version = "2025.8.1"
|
||||||
constraints = ">= 2023.10.0"
|
constraints = ">= 2023.10.0, 2025.8.1"
|
||||||
hashes = [
|
hashes = [
|
||||||
"h1:L3Fh0LyQ066laexCAeqLd+AVuSPDemwCmYgq1Bges6c=",
|
"h1:L3Fh0LyQ066laexCAeqLd+AVuSPDemwCmYgq1Bges6c=",
|
||||||
|
"h1:R3h8ADB0Kkv/aoY0AaHkBiX2/P4+GnW8sSgkN30kJfQ=",
|
||||||
"zh:0c3f1083fd48f20ed06959401ff1459fbb5d454d81c8175b5b6d321b308c0be3",
|
"zh:0c3f1083fd48f20ed06959401ff1459fbb5d454d81c8175b5b6d321b308c0be3",
|
||||||
"zh:21c6d93f8d26e688da38a660d121b5624e3597c426c671289f31a17a9771abbf",
|
"zh:21c6d93f8d26e688da38a660d121b5624e3597c426c671289f31a17a9771abbf",
|
||||||
"zh:301b5763ffc4c5fe47aa7e851ce0b19f71bab4fae5c81003ad81b38775e85f78",
|
"zh:301b5763ffc4c5fe47aa7e851ce0b19f71bab4fae5c81003ad81b38775e85f78",
|
||||||
@@ -28,6 +29,7 @@ provider "registry.terraform.io/hashicorp/random" {
|
|||||||
constraints = ">= 3.5.0"
|
constraints = ">= 3.5.0"
|
||||||
hashes = [
|
hashes = [
|
||||||
"h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=",
|
"h1:0hcNr59VEJbhZYwuDE/ysmyTS0evkfcLarlni+zATPM=",
|
||||||
|
"h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=",
|
||||||
"zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
|
"zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
|
||||||
"zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
|
"zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
|
||||||
"zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",
|
"zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ resource "authentik_certificate_key_pair" "certificates" {
|
|||||||
|
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
certificate_data = each.value.certificate_data
|
certificate_data = each.value.certificate_data
|
||||||
key_data = each.value.key_data
|
key_data = each.value.key_data
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -52,9 +52,9 @@ resource "authentik_property_mapping_provider_scope" "oidc_mappings" {
|
|||||||
if v.oidc_scope != null
|
if v.oidc_scope != null
|
||||||
}
|
}
|
||||||
|
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
scope_name = each.value.oidc_scope
|
scope_name = each.value.oidc_scope
|
||||||
expression = each.value.expression
|
expression = each.value.expression
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "authentik_property_mapping_provider_saml" "saml_mappings" {
|
resource "authentik_property_mapping_provider_saml" "saml_mappings" {
|
||||||
@@ -70,55 +70,55 @@ resource "authentik_property_mapping_provider_saml" "saml_mappings" {
|
|||||||
|
|
||||||
module "oauth_applications" {
|
module "oauth_applications" {
|
||||||
source = "./modules/oauth-provider"
|
source = "./modules/oauth-provider"
|
||||||
|
|
||||||
for_each = var.oauth_applications
|
for_each = var.oauth_applications
|
||||||
|
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
app_name = each.value.name
|
app_name = each.value.name
|
||||||
app_slug = each.value.slug
|
app_slug = each.value.slug
|
||||||
app_group = each.value.group
|
app_group = each.value.group
|
||||||
client_id = each.value.client_id
|
client_id = each.value.client_id
|
||||||
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
|
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
|
||||||
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
||||||
redirect_uris = each.value.redirect_uris
|
redirect_uris = each.value.redirect_uris
|
||||||
client_type = each.value.client_type
|
client_type = each.value.client_type
|
||||||
include_claims_in_id_token = each.value.include_claims_in_id_token
|
include_claims_in_id_token = each.value.include_claims_in_id_token
|
||||||
access_code_validity = each.value.access_code_validity
|
access_code_validity = each.value.access_code_validity
|
||||||
access_token_validity = each.value.access_token_validity
|
access_token_validity = each.value.access_token_validity
|
||||||
refresh_token_validity = each.value.refresh_token_validity
|
refresh_token_validity = each.value.refresh_token_validity
|
||||||
property_mappings = each.value.property_mappings
|
property_mappings = each.value.property_mappings
|
||||||
signing_key = each.value.signing_key
|
signing_key = each.value.signing_key
|
||||||
policy_engine_mode = each.value.policy_engine_mode
|
policy_engine_mode = each.value.policy_engine_mode
|
||||||
meta_description = each.value.meta_description
|
meta_description = each.value.meta_description
|
||||||
meta_launch_url = each.value.meta_launch_url
|
meta_launch_url = each.value.meta_launch_url
|
||||||
meta_icon = each.value.meta_icon
|
meta_icon = each.value.meta_icon
|
||||||
}
|
}
|
||||||
|
|
||||||
module "proxy_applications" {
|
module "proxy_applications" {
|
||||||
source = "./modules/proxy-provider"
|
source = "./modules/proxy-provider"
|
||||||
|
|
||||||
for_each = var.proxy_applications
|
for_each = var.proxy_applications
|
||||||
|
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
app_name = each.value.name
|
app_name = each.value.name
|
||||||
app_slug = each.value.slug
|
app_slug = each.value.slug
|
||||||
app_group = each.value.group
|
app_group = each.value.group
|
||||||
external_host = each.value.external_host
|
external_host = each.value.external_host
|
||||||
internal_host = each.value.internal_host
|
internal_host = each.value.internal_host
|
||||||
internal_host_ssl_validation = each.value.internal_host_ssl_validation
|
internal_host_ssl_validation = each.value.internal_host_ssl_validation
|
||||||
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
|
authorization_flow = try(authentik_flow.flows[each.value.authorization_flow].id, data.authentik_flow.default_authorization_flow.id)
|
||||||
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
||||||
mode = each.value.mode
|
mode = each.value.mode
|
||||||
intercept_header_auth = each.value.intercept_header_auth
|
intercept_header_auth = each.value.intercept_header_auth
|
||||||
basic_auth_enabled = each.value.basic_auth_enabled
|
basic_auth_enabled = each.value.basic_auth_enabled
|
||||||
basic_auth_user_attribute = each.value.basic_auth_username_attribute
|
basic_auth_user_attribute = each.value.basic_auth_username_attribute
|
||||||
basic_auth_password_attribute = each.value.basic_auth_password_attribute
|
basic_auth_password_attribute = each.value.basic_auth_password_attribute
|
||||||
cookie_domain = each.value.cookie_domain
|
cookie_domain = each.value.cookie_domain
|
||||||
skip_path_regex = each.value.skip_path_regex
|
skip_path_regex = each.value.skip_path_regex
|
||||||
policy_engine_mode = each.value.policy_engine_mode
|
policy_engine_mode = each.value.policy_engine_mode
|
||||||
meta_description = each.value.meta_description
|
meta_description = each.value.meta_description
|
||||||
meta_launch_url = each.value.meta_launch_url
|
meta_launch_url = each.value.meta_launch_url
|
||||||
meta_icon = each.value.meta_icon
|
meta_icon = each.value.meta_icon
|
||||||
}
|
}
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
@@ -126,18 +126,18 @@ locals {
|
|||||||
for app_key, app in var.oauth_applications : app_key => app.outpost
|
for app_key, app in var.oauth_applications : app_key => app.outpost
|
||||||
if app.outpost != null
|
if app.outpost != null
|
||||||
}
|
}
|
||||||
|
|
||||||
proxy_outpost_assignments = {
|
proxy_outpost_assignments = {
|
||||||
for app_key, app in var.proxy_applications : app_key => app.outpost
|
for app_key, app in var.proxy_applications : app_key => app.outpost
|
||||||
if app.outpost != null
|
if app.outpost != null
|
||||||
}
|
}
|
||||||
|
|
||||||
outpost_providers = {
|
outpost_providers = {
|
||||||
for outpost_key, outpost in var.outposts : outpost_key => concat(
|
for outpost_key, outpost in var.outposts : outpost_key => concat(
|
||||||
[for app_key, app_outpost in local.oauth_outpost_assignments :
|
[for app_key, app_outpost in local.oauth_outpost_assignments :
|
||||||
module.oauth_applications[app_key].provider_id if app_outpost == outpost_key],
|
module.oauth_applications[app_key].provider_id if app_outpost == outpost_key],
|
||||||
[for app_key, app_outpost in local.proxy_outpost_assignments :
|
[for app_key, app_outpost in local.proxy_outpost_assignments :
|
||||||
module.proxy_applications[app_key].provider_id if app_outpost == outpost_key]
|
module.proxy_applications[app_key].provider_id if app_outpost == outpost_key]
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -153,27 +153,27 @@ resource "authentik_outpost" "outposts" {
|
|||||||
protocol_providers = local.outpost_providers[each.key]
|
protocol_providers = local.outpost_providers[each.key]
|
||||||
service_connection = data.authentik_service_connection_kubernetes.local_k8s.id
|
service_connection = data.authentik_service_connection_kubernetes.local_k8s.id
|
||||||
config = jsonencode({
|
config = jsonencode({
|
||||||
log_level = "info"
|
log_level = "info"
|
||||||
docker_labels = null
|
docker_labels = null
|
||||||
authentik_host = var.authentik_url
|
authentik_host = var.authentik_url
|
||||||
docker_network = null
|
docker_network = null
|
||||||
container_image = null
|
container_image = null
|
||||||
docker_map_ports = true
|
docker_map_ports = true
|
||||||
refresh_interval = "minutes=5"
|
refresh_interval = "minutes=5"
|
||||||
kubernetes_replicas = 1
|
kubernetes_replicas = 1
|
||||||
kubernetes_namespace = "authentik"
|
kubernetes_namespace = "authentik"
|
||||||
authentik_host_browser = ""
|
authentik_host_browser = ""
|
||||||
object_naming_template = "ak-outpost-%(name)s"
|
object_naming_template = "ak-outpost-%(name)s"
|
||||||
authentik_host_insecure = false
|
authentik_host_insecure = false
|
||||||
kubernetes_json_patches = null
|
kubernetes_json_patches = null
|
||||||
kubernetes_service_type = "ClusterIP"
|
kubernetes_service_type = "ClusterIP"
|
||||||
kubernetes_image_pull_secrets = []
|
kubernetes_image_pull_secrets = []
|
||||||
kubernetes_ingress_class_name = null
|
kubernetes_ingress_class_name = null
|
||||||
kubernetes_disabled_components = []
|
kubernetes_disabled_components = []
|
||||||
kubernetes_ingress_annotations = {}
|
kubernetes_ingress_annotations = {}
|
||||||
kubernetes_ingress_secret_name = "authentik-outpost-tls"
|
kubernetes_ingress_secret_name = "authentik-outpost-tls"
|
||||||
})
|
})
|
||||||
|
|
||||||
depends_on = [
|
depends_on = [
|
||||||
module.oauth_applications,
|
module.oauth_applications,
|
||||||
module.proxy_applications
|
module.proxy_applications
|
||||||
|
|||||||
@@ -4,9 +4,9 @@ output "oauth_applications" {
|
|||||||
for k, v in module.oauth_applications : k => {
|
for k, v in module.oauth_applications : k => {
|
||||||
application_id = v.application_id
|
application_id = v.application_id
|
||||||
application_uuid = v.application_uuid
|
application_uuid = v.application_uuid
|
||||||
client_id = v.client_id
|
client_id = v.client_id
|
||||||
client_secret = v.client_secret
|
client_secret = v.client_secret
|
||||||
slug = v.application_slug
|
slug = v.application_slug
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
sensitive = true
|
sensitive = true
|
||||||
@@ -18,9 +18,9 @@ output "proxy_applications" {
|
|||||||
for k, v in module.proxy_applications : k => {
|
for k, v in module.proxy_applications : k => {
|
||||||
application_id = v.application_id
|
application_id = v.application_id
|
||||||
application_uuid = v.application_uuid
|
application_uuid = v.application_uuid
|
||||||
external_host = v.external_host
|
external_host = v.external_host
|
||||||
internal_host = v.internal_host
|
internal_host = v.internal_host
|
||||||
slug = v.application_slug
|
slug = v.application_slug
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -61,8 +61,8 @@ output "certificates" {
|
|||||||
description = "Certificates details"
|
description = "Certificates details"
|
||||||
value = {
|
value = {
|
||||||
for k, v in authentik_certificate_key_pair.certificates : k => {
|
for k, v in authentik_certificate_key_pair.certificates : k => {
|
||||||
id = v.id
|
id = v.id
|
||||||
name = v.name
|
name = v.name
|
||||||
fingerprint_sha256 = v.fingerprint_sha256
|
fingerprint_sha256 = v.fingerprint_sha256
|
||||||
fingerprint_sha1 = v.fingerprint_sha1
|
fingerprint_sha1 = v.fingerprint_sha1
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
terraform {
|
terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
authentik = {
|
authentik = {
|
||||||
source = "goauthentik/authentik"
|
source = "goauthentik/authentik"
|
||||||
version = "2025.8.1"
|
version = "2025.8.1"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,24 +1,24 @@
|
|||||||
variable "oauth_applications" {
|
variable "oauth_applications" {
|
||||||
description = "Map of OAuth2/OpenID applications"
|
description = "Map of OAuth2/OpenID applications"
|
||||||
type = map(object({
|
type = map(object({
|
||||||
name = string
|
name = string
|
||||||
slug = string
|
slug = string
|
||||||
group = optional(string, "")
|
group = optional(string, "")
|
||||||
policy_engine_mode = optional(string, "all")
|
policy_engine_mode = optional(string, "all")
|
||||||
meta_description = optional(string, "")
|
meta_description = optional(string, "")
|
||||||
meta_launch_url = optional(string, "")
|
meta_launch_url = optional(string, "")
|
||||||
meta_icon = optional(string, "")
|
meta_icon = optional(string, "")
|
||||||
redirect_uris = list(string)
|
redirect_uris = list(string)
|
||||||
client_type = optional(string, "confidential")
|
client_type = optional(string, "confidential")
|
||||||
client_id = optional(string, null)
|
client_id = optional(string, null)
|
||||||
include_claims_in_id_token = optional(bool, true)
|
include_claims_in_id_token = optional(bool, true)
|
||||||
access_code_validity = optional(string, "minutes=1")
|
access_code_validity = optional(string, "minutes=1")
|
||||||
access_token_validity = optional(string, "minutes=5")
|
access_token_validity = optional(string, "minutes=5")
|
||||||
refresh_token_validity = optional(string, "days=30")
|
refresh_token_validity = optional(string, "days=30")
|
||||||
property_mappings = optional(list(string), [])
|
property_mappings = optional(list(string), [])
|
||||||
authorization_flow = optional(string, null)
|
authorization_flow = optional(string, null)
|
||||||
signing_key = optional(string, null)
|
signing_key = optional(string, null)
|
||||||
outpost = optional(string, null)
|
outpost = optional(string, null)
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
@@ -26,25 +26,25 @@ variable "oauth_applications" {
|
|||||||
variable "proxy_applications" {
|
variable "proxy_applications" {
|
||||||
description = "Map of Proxy applications"
|
description = "Map of Proxy applications"
|
||||||
type = map(object({
|
type = map(object({
|
||||||
name = string
|
name = string
|
||||||
slug = string
|
slug = string
|
||||||
group = optional(string, "")
|
group = optional(string, "")
|
||||||
policy_engine_mode = optional(string, "all")
|
policy_engine_mode = optional(string, "all")
|
||||||
meta_description = optional(string, "")
|
meta_description = optional(string, "")
|
||||||
meta_launch_url = optional(string, "")
|
meta_launch_url = optional(string, "")
|
||||||
meta_icon = optional(string, "")
|
meta_icon = optional(string, "")
|
||||||
external_host = string
|
external_host = string
|
||||||
internal_host = optional(string, "")
|
internal_host = optional(string, "")
|
||||||
internal_host_ssl_validation = optional(bool, true)
|
internal_host_ssl_validation = optional(bool, true)
|
||||||
mode = optional(string, "proxy")
|
mode = optional(string, "proxy")
|
||||||
intercept_header_auth = optional(bool, false)
|
intercept_header_auth = optional(bool, false)
|
||||||
basic_auth_enabled = optional(bool, false)
|
basic_auth_enabled = optional(bool, false)
|
||||||
basic_auth_username_attribute = optional(string, "")
|
basic_auth_username_attribute = optional(string, "")
|
||||||
basic_auth_password_attribute = optional(string, "")
|
basic_auth_password_attribute = optional(string, "")
|
||||||
cookie_domain = optional(string, "")
|
cookie_domain = optional(string, "")
|
||||||
authorization_flow = optional(string, null)
|
authorization_flow = optional(string, null)
|
||||||
skip_path_regex = optional(string, "")
|
skip_path_regex = optional(string, "")
|
||||||
outpost = optional(string, null)
|
outpost = optional(string, null)
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
@@ -76,10 +76,10 @@ variable "flows" {
|
|||||||
variable "groups" {
|
variable "groups" {
|
||||||
description = "Map of user groups"
|
description = "Map of user groups"
|
||||||
type = map(object({
|
type = map(object({
|
||||||
name = string
|
name = string
|
||||||
is_superuser = optional(bool, false)
|
is_superuser = optional(bool, false)
|
||||||
parent = optional(string, null)
|
parent = optional(string, null)
|
||||||
attributes = optional(map(any), {})
|
attributes = optional(map(any), {})
|
||||||
}))
|
}))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
@@ -87,8 +87,8 @@ variable "groups" {
|
|||||||
variable "certificates" {
|
variable "certificates" {
|
||||||
description = "Map of certificates for HTTPS"
|
description = "Map of certificates for HTTPS"
|
||||||
type = map(object({
|
type = map(object({
|
||||||
name = string
|
name = string
|
||||||
certificate_data = string
|
certificate_data = string
|
||||||
key_data = string
|
key_data = string
|
||||||
managed = optional(string, null)
|
managed = optional(string, null)
|
||||||
}))
|
}))
|
||||||
@@ -114,7 +114,7 @@ variable "default_authorization_flow" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
variable "default_authentication_flow" {
|
variable "default_authentication_flow" {
|
||||||
description = "Default authentication flow slug"
|
description = "Default authentication flow slug"
|
||||||
type = string
|
type = string
|
||||||
default = "default-authentication-flow"
|
default = "default-authentication-flow"
|
||||||
}
|
}
|
||||||
@@ -134,4 +134,5 @@ variable "tags" {
|
|||||||
variable "authentik_url" {
|
variable "authentik_url" {
|
||||||
description = "Authentik URL"
|
description = "Authentik URL"
|
||||||
type = string
|
type = string
|
||||||
}
|
default = "https://idm.hexor.cy"
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user