ghndrx/authentik-terraform
1
0
Fork 0
mirror of https://github.com/ghndrx/authentik-terraform.git synced 2026-02-10 06:44:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add custom MFA authentication flow with configurable enforcement

Browse Source 
- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.
This commit is contained in:
Greg Hendrickson
2026-02-09 16:03:32 +00:00
parent d55a52a8d5
commit 5d2535067e
8 changed files with 171 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@@ -78,6 +78,7 @@ terraform apply
├── .github/workflows/deploy.yml # CI/CD pipeline
├── main.tf # Authentik provider & brand config
├── variables.tf # All configurable variables
├── authentication-flow.tf # Custom MFA authentication flow
├── security-policies.tf # Password, MFA, brute-force policies
├── rbac-groups.tf # RBAC groups and access policies
├── app-*.tf # Application configurations
@@ -170,11 +171,34 @@ This configuration includes enterprise-grade security controls:
- Execution logging for audit trail
### To Enable MFA Enforcement:
**Option 1: Use the Custom MFA Authentication Flow (Recommended)**
Set in `terraform.tfvars`:
```hcl
enable_mfa_flow = true
mfa_enforcement = "configure" # or "deny" for strict enforcement
```
This creates a complete authentication flow with:
- User identification → Password → MFA validation → Session creation
- Brute-force protection policy binding
- Configurable MFA enforcement level
**Option 2: Manual Configuration**
1. Deploy these policies with `terraform apply`
2. In Authentik UI: Edit your authentication flow
3. Add the `mfa-validation` stage after the password stage
4. Set `not_configured_action` to `deny` for strict enforcement
### MFA Enforcement Levels
| Level | Behavior |
|-------|----------|
| `skip` | MFA optional, no prompt if not configured |
| `configure` | Prompts users to set up MFA on login (recommended for rollout) |
| `deny` | Blocks login if MFA not configured (use after users have set up MFA) |
## RBAC Groups (rbac-groups.tf)
Role-based access control with three predefined groups: