ghndrx/authentik-terraform
1
0
Fork 0
mirror of https://github.com/ghndrx/authentik-terraform.git synced 2026-02-10 06:44:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): add comprehensive security policies and RBAC

Browse Source 
- Add security-policies.tf:
  - Strong password policy (12 chars, HIBP check, zxcvbn scoring)
  - Password reuse prevention (last 5 passwords)
  - Brute force protection (reputation policy, 5 attempt threshold)
  - MFA stages: TOTP, WebAuthn/Passkeys, recovery codes
  - MFA validation stage with configurable enforcement
  - Admin-only and MFA-required expression policies

- Add rbac-groups.tf:
  - Media group (Sonarr, Radarr, etc.)
  - Infrastructure group (Grafana, ArgoCD, etc.)
  - Home Automation group (Home Assistant)
  - Group-based access policies

- Fix main.tf: Remove SOPS, use variables for token
- Fix versions.tf: Remove unused SOPS provider
- Update README with security documentation
This commit is contained in:
Data (Clawdbot)
2026-02-02 16:05:04 +00:00
parent 814e41f3f2
commit 9a9a47a6a4
5 changed files with 327 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
main.tf
View File

@@ -3,14 +3,14 @@
# Update the domain below to match your Authentik instance
# =============================================================================
# Decrypt secrets with SOPS
data "sops_file" "secrets" {
source_file = "secrets.enc.yaml"
}
# Authentik Provider Configuration
# Token provided via:
# - GitHub Actions secrets (CI/CD)
# - terraform.tfvars (local dev - never commit!)
# - TF_VAR_authentik_token environment variable
provider "authentik" {
url = var.authentik_url
token = data.sops_file.secrets.data["authentik_token"]
token = var.authentik_token
}
# =============================================================================