authentik-terraform

ghndrx/authentik-terraform

Fork 0

mirror of https://github.com/ghndrx/authentik-terraform.git synced 2026-02-10 06:44:58 +00:00

Commit Graph

Author	SHA1	Message	Date
Greg Hendrickson	5d2535067e	feat: Add custom MFA authentication flow with configurable enforcement - Add authentication-flow.tf with complete MFA auth flow: - Identification -> Password -> MFA validation -> Session stages - Brute-force reputation policy binding - Evaluates policies on plan for user context - Add configuration variables: - enable_mfa_flow: Toggle custom MFA flow (default: false) - mfa_enforcement: skip/configure/deny (default: configure) - Fix existing issues: - rbac-groups.tf: parent -> parents (list) - source-google.tf: Use variables instead of deprecated sops - Google source now conditional (created only if credentials provided) - Update README: - Document MFA enforcement levels - Add authentication-flow.tf to file structure - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup Security: Custom flow includes brute-force protection policy bound at flow level, not just stage level.	2026-02-09 16:03:32 +00:00
Greg Hendrickson	d55a52a8d5	feat: Add Portainer OAuth2 + enable RBAC policy bindings - Add app-portainer.tf: OAuth2 provider for Portainer container management - Add portainer_url variable - Enable RBAC policy bindings for Grafana, ArgoCD, Home Assistant - Portainer bound to Infrastructure group policy RBAC Summary: - Infrastructure group → Grafana, ArgoCD, Portainer - Home Automation group → Home Assistant - Media group → arr stack (existing in app-proxy-arr-stack.tf)	2026-02-05 16:03:40 +00:00
Data (Clawdbot)	9a9a47a6a4	feat(security): add comprehensive security policies and RBAC - Add security-policies.tf: - Strong password policy (12 chars, HIBP check, zxcvbn scoring) - Password reuse prevention (last 5 passwords) - Brute force protection (reputation policy, 5 attempt threshold) - MFA stages: TOTP, WebAuthn/Passkeys, recovery codes - MFA validation stage with configurable enforcement - Admin-only and MFA-required expression policies - Add rbac-groups.tf: - Media group (Sonarr, Radarr, etc.) - Infrastructure group (Grafana, ArgoCD, etc.) - Home Automation group (Home Assistant) - Group-based access policies - Fix main.tf: Remove SOPS, use variables for token - Fix versions.tf: Remove unused SOPS provider - Update README with security documentation	2026-02-02 16:05:04 +00:00

Author

SHA1

Message

Date

Greg Hendrickson

5d2535067e

feat: Add custom MFA authentication flow with configurable enforcement

- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.

2026-02-09 16:03:32 +00:00

Greg Hendrickson

d55a52a8d5

feat: Add Portainer OAuth2 + enable RBAC policy bindings

- Add app-portainer.tf: OAuth2 provider for Portainer container management
- Add portainer_url variable
- Enable RBAC policy bindings for Grafana, ArgoCD, Home Assistant
- Portainer bound to Infrastructure group policy

RBAC Summary:
- Infrastructure group → Grafana, ArgoCD, Portainer
- Home Automation group → Home Assistant
- Media group → arr stack (existing in app-proxy-arr-stack.tf)

2026-02-05 16:03:40 +00:00

Data (Clawdbot)

9a9a47a6a4

feat(security): add comprehensive security policies and RBAC

- Add security-policies.tf:
  - Strong password policy (12 chars, HIBP check, zxcvbn scoring)
  - Password reuse prevention (last 5 passwords)
  - Brute force protection (reputation policy, 5 attempt threshold)
  - MFA stages: TOTP, WebAuthn/Passkeys, recovery codes
  - MFA validation stage with configurable enforcement
  - Admin-only and MFA-required expression policies

- Add rbac-groups.tf:
  - Media group (Sonarr, Radarr, etc.)
  - Infrastructure group (Grafana, ArgoCD, etc.)
  - Home Automation group (Home Assistant)
  - Group-based access policies

- Fix main.tf: Remove SOPS, use variables for token
- Fix versions.tf: Remove unused SOPS provider
- Update README with security documentation

2026-02-02 16:05:04 +00:00

3 Commits