ghndrx/authentik-terraform
1
0
Fork 0
mirror of https://github.com/ghndrx/authentik-terraform.git synced 2026-02-10 06:44:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add custom MFA authentication flow with configurable enforcement

Browse Source 
- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.
This commit is contained in:
Greg Hendrickson
2026-02-09 16:03:32 +00:00
parent d55a52a8d5
commit 5d2535067e
8 changed files with 171 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
main.tf
View File

@@ -58,7 +58,8 @@ resource "authentik_brand" "main" {
branding_logo = "/static/dist/assets/icons/icon_left_brand.svg"
branding_favicon = "/static/dist/assets/icons/icon.png"
flow_authentication = data.authentik_flow.default_authentication.id
# Use MFA auth flow if enabled, otherwise default
flow_authentication = var.enable_mfa_flow ? authentik_flow.mfa_authentication.uuid : data.authentik_flow.default_authentication.id
flow_invalidation = data.authentik_flow.default_invalidation.id
}