mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-10 06:44:58 +00:00
9a9a47a6a4
- Add security-policies.tf: - Strong password policy (12 chars, HIBP check, zxcvbn scoring) - Password reuse prevention (last 5 passwords) - Brute force protection (reputation policy, 5 attempt threshold) - MFA stages: TOTP, WebAuthn/Passkeys, recovery codes - MFA validation stage with configurable enforcement - Admin-only and MFA-required expression policies - Add rbac-groups.tf: - Media group (Sonarr, Radarr, etc.) - Infrastructure group (Grafana, ArgoCD, etc.) - Home Automation group (Home Assistant) - Group-based access policies - Fix main.tf: Remove SOPS, use variables for token - Fix versions.tf: Remove unused SOPS provider - Update README with security documentation
90 lines
3.1 KiB
HCL
90 lines
3.1 KiB
HCL
# =============================================================================
|
|
# RBAC Groups and Application Permissions
|
|
# Defines user groups and their application access
|
|
# =============================================================================
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Core Groups (extend from main.tf)
|
|
# -----------------------------------------------------------------------------
|
|
|
|
# Media group - access to Sonarr, Radarr, Prowlarr, etc.
|
|
resource "authentik_group" "media" {
|
|
name = "Media"
|
|
parent = authentik_group.users.id
|
|
}
|
|
|
|
# Infrastructure group - access to monitoring, CI/CD tools
|
|
resource "authentik_group" "infrastructure" {
|
|
name = "Infrastructure"
|
|
parent = authentik_group.users.id
|
|
}
|
|
|
|
# Home Automation group - Home Assistant access
|
|
resource "authentik_group" "home_automation" {
|
|
name = "Home Automation"
|
|
parent = authentik_group.users.id
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Group-based Access Policies
|
|
# Bind these to applications to restrict access
|
|
# -----------------------------------------------------------------------------
|
|
|
|
resource "authentik_policy_expression" "media_access" {
|
|
name = "media-group-access"
|
|
expression = <<-EOT
|
|
return ak_is_group_member(request.user, name="Media") or ak_is_group_member(request.user, name="Admins")
|
|
EOT
|
|
execution_logging = true
|
|
}
|
|
|
|
resource "authentik_policy_expression" "infrastructure_access" {
|
|
name = "infrastructure-group-access"
|
|
expression = <<-EOT
|
|
return ak_is_group_member(request.user, name="Infrastructure") or ak_is_group_member(request.user, name="Admins")
|
|
EOT
|
|
execution_logging = true
|
|
}
|
|
|
|
resource "authentik_policy_expression" "home_automation_access" {
|
|
name = "home-automation-group-access"
|
|
expression = <<-EOT
|
|
return ak_is_group_member(request.user, name="Home Automation") or ak_is_group_member(request.user, name="Admins")
|
|
EOT
|
|
execution_logging = true
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Example: Bind policy to an application
|
|
# Uncomment and modify for your applications
|
|
# -----------------------------------------------------------------------------
|
|
# resource "authentik_policy_binding" "sonarr_media_access" {
|
|
# target = authentik_application.sonarr.uuid
|
|
# policy = authentik_policy_expression.media_access.id
|
|
# order = 0
|
|
# }
|
|
#
|
|
# resource "authentik_policy_binding" "grafana_infra_access" {
|
|
# target = authentik_application.grafana.uuid
|
|
# policy = authentik_policy_expression.infrastructure_access.id
|
|
# order = 0
|
|
# }
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Outputs
|
|
# -----------------------------------------------------------------------------
|
|
output "media_group_id" {
|
|
description = "ID of the Media group"
|
|
value = authentik_group.media.id
|
|
}
|
|
|
|
output "infrastructure_group_id" {
|
|
description = "ID of the Infrastructure group"
|
|
value = authentik_group.infrastructure.id
|
|
}
|
|
|
|
output "home_automation_group_id" {
|
|
description = "ID of the Home Automation group"
|
|
value = authentik_group.home_automation.id
|
|
}
|