mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-09 22:34:56 +00:00
5d2535067e
- Add authentication-flow.tf with complete MFA auth flow: - Identification -> Password -> MFA validation -> Session stages - Brute-force reputation policy binding - Evaluates policies on plan for user context - Add configuration variables: - enable_mfa_flow: Toggle custom MFA flow (default: false) - mfa_enforcement: skip/configure/deny (default: configure) - Fix existing issues: - rbac-groups.tf: parent -> parents (list) - source-google.tf: Use variables instead of deprecated sops - Google source now conditional (created only if credentials provided) - Update README: - Document MFA enforcement levels - Add authentication-flow.tf to file structure - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup Security: Custom flow includes brute-force protection policy bound at flow level, not just stage level.
101 lines
3.4 KiB
HCL
101 lines
3.4 KiB
HCL
# =============================================================================
|
|
# RBAC Groups and Application Permissions
|
|
# Defines user groups and their application access
|
|
# =============================================================================
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Core Groups (extend from main.tf)
|
|
# -----------------------------------------------------------------------------
|
|
|
|
# Media group - access to Sonarr, Radarr, Prowlarr, etc.
|
|
resource "authentik_group" "media" {
|
|
name = "Media"
|
|
parents = [authentik_group.users.id]
|
|
}
|
|
|
|
# Infrastructure group - access to monitoring, CI/CD tools
|
|
resource "authentik_group" "infrastructure" {
|
|
name = "Infrastructure"
|
|
parents = [authentik_group.users.id]
|
|
}
|
|
|
|
# Home Automation group - Home Assistant access
|
|
resource "authentik_group" "home_automation" {
|
|
name = "Home Automation"
|
|
parents = [authentik_group.users.id]
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Group-based Access Policies
|
|
# Bind these to applications to restrict access
|
|
# -----------------------------------------------------------------------------
|
|
|
|
resource "authentik_policy_expression" "media_access" {
|
|
name = "media-group-access"
|
|
expression = <<-EOT
|
|
return ak_is_group_member(request.user, name="Media") or ak_is_group_member(request.user, name="Admins")
|
|
EOT
|
|
execution_logging = true
|
|
}
|
|
|
|
resource "authentik_policy_expression" "infrastructure_access" {
|
|
name = "infrastructure-group-access"
|
|
expression = <<-EOT
|
|
return ak_is_group_member(request.user, name="Infrastructure") or ak_is_group_member(request.user, name="Admins")
|
|
EOT
|
|
execution_logging = true
|
|
}
|
|
|
|
resource "authentik_policy_expression" "home_automation_access" {
|
|
name = "home-automation-group-access"
|
|
expression = <<-EOT
|
|
return ak_is_group_member(request.user, name="Home Automation") or ak_is_group_member(request.user, name="Admins")
|
|
EOT
|
|
execution_logging = true
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Application Policy Bindings
|
|
# Restrict app access by group membership
|
|
# -----------------------------------------------------------------------------
|
|
|
|
# Infrastructure apps - require Infrastructure group
|
|
resource "authentik_policy_binding" "grafana_infra_access" {
|
|
target = authentik_application.grafana.uuid
|
|
policy = authentik_policy_expression.infrastructure_access.id
|
|
order = 0
|
|
}
|
|
|
|
resource "authentik_policy_binding" "argocd_infra_access" {
|
|
target = authentik_application.argocd.uuid
|
|
policy = authentik_policy_expression.infrastructure_access.id
|
|
order = 0
|
|
}
|
|
|
|
# Home Automation apps
|
|
resource "authentik_policy_binding" "homeassistant_access" {
|
|
target = authentik_application.home_assistant.uuid
|
|
policy = authentik_policy_expression.home_automation_access.id
|
|
order = 0
|
|
}
|
|
|
|
# Media apps - require Media group (handled in app-proxy-arr-stack.tf)
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Outputs
|
|
# -----------------------------------------------------------------------------
|
|
output "media_group_id" {
|
|
description = "ID of the Media group"
|
|
value = authentik_group.media.id
|
|
}
|
|
|
|
output "infrastructure_group_id" {
|
|
description = "ID of the Infrastructure group"
|
|
value = authentik_group.infrastructure.id
|
|
}
|
|
|
|
output "home_automation_group_id" {
|
|
description = "ID of the Home Automation group"
|
|
value = authentik_group.home_automation.id
|
|
}
|