Greg Hendrickson
|
5d2535067e
|
feat: Add custom MFA authentication flow with configurable enforcement
- Add authentication-flow.tf with complete MFA auth flow:
- Identification -> Password -> MFA validation -> Session stages
- Brute-force reputation policy binding
- Evaluates policies on plan for user context
- Add configuration variables:
- enable_mfa_flow: Toggle custom MFA flow (default: false)
- mfa_enforcement: skip/configure/deny (default: configure)
- Fix existing issues:
- rbac-groups.tf: parent -> parents (list)
- source-google.tf: Use variables instead of deprecated sops
- Google source now conditional (created only if credentials provided)
- Update README:
- Document MFA enforcement levels
- Add authentication-flow.tf to file structure
- Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup
Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.
|
2026-02-09 16:03:32 +00:00 |
|
Data (Clawdbot)
|
9a9a47a6a4
|
feat(security): add comprehensive security policies and RBAC
- Add security-policies.tf:
- Strong password policy (12 chars, HIBP check, zxcvbn scoring)
- Password reuse prevention (last 5 passwords)
- Brute force protection (reputation policy, 5 attempt threshold)
- MFA stages: TOTP, WebAuthn/Passkeys, recovery codes
- MFA validation stage with configurable enforcement
- Admin-only and MFA-required expression policies
- Add rbac-groups.tf:
- Media group (Sonarr, Radarr, etc.)
- Infrastructure group (Grafana, ArgoCD, etc.)
- Home Automation group (Home Assistant)
- Group-based access policies
- Fix main.tf: Remove SOPS, use variables for token
- Fix versions.tf: Remove unused SOPS provider
- Update README with security documentation
|
2026-02-02 16:05:04 +00:00 |
|