mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-09 22:34:56 +00:00
5d2535067e
- Add authentication-flow.tf with complete MFA auth flow: - Identification -> Password -> MFA validation -> Session stages - Brute-force reputation policy binding - Evaluates policies on plan for user context - Add configuration variables: - enable_mfa_flow: Toggle custom MFA flow (default: false) - mfa_enforcement: skip/configure/deny (default: configure) - Fix existing issues: - rbac-groups.tf: parent -> parents (list) - source-google.tf: Use variables instead of deprecated sops - Google source now conditional (created only if credentials provided) - Update README: - Document MFA enforcement levels - Add authentication-flow.tf to file structure - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup Security: Custom flow includes brute-force protection policy bound at flow level, not just stage level.
Authentik Terraform Configuration
Infrastructure as Code for Authentik identity provider - manage applications, providers, and SSO via Terraform.
Features
- OAuth2/OIDC Applications: ArgoCD, Grafana
- Proxy Authentication: Home Assistant, Immich, Uptime Kuma, *arr stack
- LDAP Outpost: For legacy application support
- Google OAuth Source: Social login integration
- Security Policies: Strong passwords, MFA, brute-force protection
- RBAC Groups: Role-based access control for applications
Quick Start
1. Fork/Clone This Repo
git clone https://github.com/ghndrx/authentik-terraform.git
cd authentik-terraform
2. Configure GitHub Secrets
Go to Settings > Secrets and variables > Actions and add:
| Secret | Description | Example |
|---|---|---|
AUTHENTIK_URL |
Your Authentik server URL | https://auth.example.com |
AUTHENTIK_TOKEN |
API token from Authentik | ak-... |
GOOGLE_CLIENT_ID |
Google OAuth client ID | xxx.apps.googleusercontent.com |
GOOGLE_CLIENT_SECRET |
Google OAuth secret | GOCSPX-... |
ARGOCD_URL |
ArgoCD URL | https://argocd.example.com |
GRAFANA_URL |
Grafana URL | https://grafana.example.com |
HOME_ASSISTANT_URL |
Home Assistant URL | https://home.example.com |
IMMICH_URL |
Immich URL | https://photos.example.com |
UPTIME_KUMA_URL |
Uptime Kuma URL | https://status.example.com |
SONARR_URL |
Sonarr URL | https://sonarr.example.com |
RADARR_URL |
Radarr URL | https://radarr.example.com |
PROWLARR_URL |
Prowlarr URL | https://prowlarr.example.com |
3. Create Authentik API Token
- Log into Authentik as admin
- Go to Directory > Tokens and App passwords
- Create a new token with API Access intent
- Copy the token value
4. (Optional) Set Up Google OAuth
- Go to Google Cloud Console
- Create OAuth 2.0 credentials
- Add authorized redirect URI:
https://auth.example.com/source/oauth/callback/google/
5. Deploy
Push to main branch to trigger deployment, or run manually:
# Local development
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
terraform init
terraform plan
terraform apply
GitHub Actions Workflow
- On PR: Runs
terraform planfor review - On Push to main: Runs
terraform applyautomatically - Manual: Can trigger via Actions tab
File Structure
├── .github/workflows/deploy.yml # CI/CD pipeline
├── main.tf # Authentik provider & brand config
├── variables.tf # All configurable variables
├── authentication-flow.tf # Custom MFA authentication flow
├── security-policies.tf # Password, MFA, brute-force policies
├── rbac-groups.tf # RBAC groups and access policies
├── app-*.tf # Application configurations
├── ldap-outpost.tf # LDAP outpost config
├── source-google.tf # Google OAuth source
└── outputs.tf # Useful outputs
Adding New Applications
OAuth2/OIDC Application
# app-myapp.tf
resource "authentik_provider_oauth2" "myapp" {
name = "MyApp"
authorization_flow = data.authentik_flow.default_authorization.id
client_id = "myapp"
client_type = "confidential"
redirect_uris = [
"${var.myapp_url}/oauth/callback"
]
property_mappings = data.authentik_property_mapping_provider_scope.oauth2.ids
}
resource "authentik_application" "myapp" {
name = "MyApp"
slug = "myapp"
protocol_provider = authentik_provider_oauth2.myapp.id
meta_launch_url = var.myapp_url
meta_icon = "https://example.com/icon.png"
}
Proxy Authentication
resource "authentik_provider_proxy" "myapp" {
name = "MyApp Proxy"
authorization_flow = data.authentik_flow.default_authorization.id
external_host = var.myapp_url
mode = "forward_single"
}
resource "authentik_application" "myapp" {
name = "MyApp"
slug = "myapp"
protocol_provider = authentik_provider_proxy.myapp.id
}
Terraform State
By default, state is stored locally. For production, configure remote backend:
# backend.tf
terraform {
backend "s3" {
bucket = "your-terraform-state"
key = "authentik/terraform.tfstate"
region = "us-east-1"
}
}
Security Policies (security-policies.tf)
This configuration includes enterprise-grade security controls:
Password Policy
- Minimum 12 characters
- Requires uppercase, lowercase, digits, and symbols
- Have I Been Pwned integration - rejects breached passwords
- zxcvbn password strength scoring (requires "strong" level 3/4)
- Password reuse prevention (last 5 passwords)
Multi-Factor Authentication
- TOTP authenticator apps (Google Authenticator, Authy, etc.)
- WebAuthn/Passkeys (YubiKey, Touch ID, Windows Hello)
- Static recovery codes (10 codes, 12 characters each)
- Configurable enforcement: skip, deny, or force configuration
Brute Force Protection
- Reputation-based blocking after 5 failed attempts
- Blocks by IP address and username
- Execution logging for audit trail
To Enable MFA Enforcement:
Option 1: Use the Custom MFA Authentication Flow (Recommended)
Set in terraform.tfvars:
enable_mfa_flow = true
mfa_enforcement = "configure" # or "deny" for strict enforcement
This creates a complete authentication flow with:
- User identification → Password → MFA validation → Session creation
- Brute-force protection policy binding
- Configurable MFA enforcement level
Option 2: Manual Configuration
- Deploy these policies with
terraform apply - In Authentik UI: Edit your authentication flow
- Add the
mfa-validationstage after the password stage - Set
not_configured_actiontodenyfor strict enforcement
MFA Enforcement Levels
| Level | Behavior |
|---|---|
skip |
MFA optional, no prompt if not configured |
configure |
Prompts users to set up MFA on login (recommended for rollout) |
deny |
Blocks login if MFA not configured (use after users have set up MFA) |
RBAC Groups (rbac-groups.tf)
Role-based access control with three predefined groups:
| Group | Purpose | Example Apps |
|---|---|---|
| Media | Media server access | Sonarr, Radarr, Prowlarr, Plex |
| Infrastructure | DevOps/monitoring | Grafana, ArgoCD, Portainer |
| Home Automation | Smart home | Home Assistant |
Admins automatically have access to all groups. Bind policies to applications:
resource "authentik_policy_binding" "grafana_infra_access" {
target = authentik_application.grafana.uuid
policy = authentik_policy_expression.infrastructure_access.id
order = 0
}
Security Notes
- Never commit
terraform.tfvarsor any file with secrets - Use GitHub Actions secrets for CI/CD
- API tokens should have minimal required permissions
- Rotate tokens periodically
- Enable execution logging for security audit trails
- Review login events in Authentik's Events log regularly
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| authentik | >= 2024.0 |
License
MIT