mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-10 06:44:58 +00:00
5d2535067e
- Add authentication-flow.tf with complete MFA auth flow: - Identification -> Password -> MFA validation -> Session stages - Brute-force reputation policy binding - Evaluates policies on plan for user context - Add configuration variables: - enable_mfa_flow: Toggle custom MFA flow (default: false) - mfa_enforcement: skip/configure/deny (default: configure) - Fix existing issues: - rbac-groups.tf: parent -> parents (list) - source-google.tf: Use variables instead of deprecated sops - Google source now conditional (created only if credentials provided) - Update README: - Document MFA enforcement levels - Add authentication-flow.tf to file structure - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup Security: Custom flow includes brute-force protection policy bound at flow level, not just stage level.
82 lines
2.7 KiB
HCL
82 lines
2.7 KiB
HCL
# =============================================================================
|
|
# Authentik Terraform Configuration
|
|
# Update the domain below to match your Authentik instance
|
|
# =============================================================================
|
|
|
|
# Authentik Provider Configuration
|
|
# Token provided via:
|
|
# - GitHub Actions secrets (CI/CD)
|
|
# - terraform.tfvars (local dev - never commit!)
|
|
# - TF_VAR_authentik_token environment variable
|
|
provider "authentik" {
|
|
url = var.authentik_url
|
|
token = var.authentik_token
|
|
}
|
|
|
|
# =============================================================================
|
|
# Data Sources - Existing Resources
|
|
# =============================================================================
|
|
|
|
# Default authentication flow
|
|
data "authentik_flow" "default_authentication" {
|
|
slug = "default-authentication-flow"
|
|
}
|
|
|
|
# Default authorization flow (implicit consent)
|
|
data "authentik_flow" "default_authorization" {
|
|
slug = "default-provider-authorization-implicit-consent"
|
|
}
|
|
|
|
# Default invalidation flow
|
|
data "authentik_flow" "default_invalidation" {
|
|
slug = "default-invalidation-flow"
|
|
}
|
|
|
|
# Default enrollment flow (for social login)
|
|
data "authentik_flow" "default_enrollment" {
|
|
slug = "default-source-enrollment"
|
|
}
|
|
|
|
# Get certificate for signing
|
|
data "authentik_certificate_key_pair" "generated" {
|
|
name = "authentik Self-signed Certificate"
|
|
}
|
|
|
|
# =============================================================================
|
|
# Brand Configuration
|
|
# =============================================================================
|
|
|
|
data "authentik_brand" "default" {
|
|
domain = "authentik-default"
|
|
}
|
|
|
|
# Update brand with proper domain
|
|
resource "authentik_brand" "main" {
|
|
domain = "authentik.example.com" # TODO: Update to your domain
|
|
default = false
|
|
branding_title = "My Lab" # TODO: Update to your org name
|
|
branding_logo = "/static/dist/assets/icons/icon_left_brand.svg"
|
|
branding_favicon = "/static/dist/assets/icons/icon.png"
|
|
|
|
# Use MFA auth flow if enabled, otherwise default
|
|
flow_authentication = var.enable_mfa_flow ? authentik_flow.mfa_authentication.uuid : data.authentik_flow.default_authentication.id
|
|
flow_invalidation = data.authentik_flow.default_invalidation.id
|
|
}
|
|
|
|
# =============================================================================
|
|
# Groups
|
|
# =============================================================================
|
|
|
|
resource "authentik_group" "admins" {
|
|
name = "Admins"
|
|
is_superuser = true
|
|
}
|
|
|
|
resource "authentik_group" "users" {
|
|
name = "Users"
|
|
}
|
|
|
|
# =============================================================================
|
|
# Applications are defined in applications/*.tf
|
|
# =============================================================================
|