mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-10 06:44:58 +00:00
5d2535067e
- Add authentication-flow.tf with complete MFA auth flow: - Identification -> Password -> MFA validation -> Session stages - Brute-force reputation policy binding - Evaluates policies on plan for user context - Add configuration variables: - enable_mfa_flow: Toggle custom MFA flow (default: false) - mfa_enforcement: skip/configure/deny (default: configure) - Fix existing issues: - rbac-groups.tf: parent -> parents (list) - source-google.tf: Use variables instead of deprecated sops - Google source now conditional (created only if credentials provided) - Update README: - Document MFA enforcement levels - Add authentication-flow.tf to file structure - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup Security: Custom flow includes brute-force protection policy bound at flow level, not just stage level.
114 lines
2.6 KiB
HCL
114 lines
2.6 KiB
HCL
################################################################################
|
|
# Authentik Terraform Variables
|
|
#
|
|
# Set these via:
|
|
# - GitHub Actions secrets (recommended)
|
|
# - terraform.tfvars (local dev only - never commit!)
|
|
# - Environment variables (TF_VAR_*)
|
|
################################################################################
|
|
|
|
# Authentik Connection
|
|
variable "authentik_url" {
|
|
type = string
|
|
description = "Authentik server URL (e.g., https://auth.example.com)"
|
|
}
|
|
|
|
variable "authentik_token" {
|
|
type = string
|
|
sensitive = true
|
|
description = "Authentik API token"
|
|
}
|
|
|
|
# Google OAuth (optional)
|
|
variable "google_client_id" {
|
|
type = string
|
|
default = ""
|
|
description = "Google OAuth client ID"
|
|
}
|
|
|
|
variable "google_client_secret" {
|
|
type = string
|
|
sensitive = true
|
|
default = ""
|
|
description = "Google OAuth client secret"
|
|
}
|
|
|
|
# Application URLs
|
|
variable "argocd_url" {
|
|
type = string
|
|
default = ""
|
|
description = "ArgoCD URL for SSO"
|
|
}
|
|
|
|
variable "grafana_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Grafana URL for SSO"
|
|
}
|
|
|
|
variable "home_assistant_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Home Assistant URL for proxy auth"
|
|
}
|
|
|
|
variable "immich_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Immich URL for proxy auth"
|
|
}
|
|
|
|
variable "uptime_kuma_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Uptime Kuma URL for proxy auth"
|
|
}
|
|
|
|
variable "sonarr_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Sonarr URL for proxy auth"
|
|
}
|
|
|
|
variable "radarr_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Radarr URL for proxy auth"
|
|
}
|
|
|
|
variable "prowlarr_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Prowlarr URL for proxy auth"
|
|
}
|
|
|
|
variable "portainer_url" {
|
|
type = string
|
|
default = ""
|
|
description = "Portainer URL for SSO"
|
|
}
|
|
|
|
# LDAP Configuration
|
|
variable "ldap_base_dn" {
|
|
type = string
|
|
default = "dc=ldap,dc=example,dc=com"
|
|
description = "LDAP base DN"
|
|
}
|
|
|
|
# Security Configuration
|
|
variable "enable_mfa_flow" {
|
|
type = bool
|
|
default = false
|
|
description = "Use custom MFA authentication flow instead of default"
|
|
}
|
|
|
|
variable "mfa_enforcement" {
|
|
type = string
|
|
default = "configure"
|
|
description = "MFA enforcement mode: 'skip' (optional), 'configure' (prompt to set up), 'deny' (required)"
|
|
validation {
|
|
condition = contains(["skip", "configure", "deny"], var.mfa_enforcement)
|
|
error_message = "MFA enforcement must be one of: skip, configure, deny"
|
|
}
|
|
}
|