mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-10 06:44:58 +00:00
Greg Hendrickson
814e41f3f2
Infrastructure as Code for Authentik identity provider managing: OAuth2/OIDC Applications: - Grafana, Home Assistant, Immich - Uptime Kuma (proxy auth) - Sonarr, Radarr, Prowlarr (*arr stack proxy auth) - ArgoCD Identity Sources: - Google Workspace federation LDAP: - TrueNAS LDAP provider and outpost CI/CD: - GitHub Actions workflow for plan/apply - Secrets managed via GitHub Actions secrets Provider: beryju/authentik v2025.2
81 lines
2.5 KiB
HCL
81 lines
2.5 KiB
HCL
# =============================================================================
|
|
# Authentik Terraform Configuration
|
|
# Update the domain below to match your Authentik instance
|
|
# =============================================================================
|
|
|
|
# Decrypt secrets with SOPS
|
|
data "sops_file" "secrets" {
|
|
source_file = "secrets.enc.yaml"
|
|
}
|
|
|
|
provider "authentik" {
|
|
url = var.authentik_url
|
|
token = data.sops_file.secrets.data["authentik_token"]
|
|
}
|
|
|
|
# =============================================================================
|
|
# Data Sources - Existing Resources
|
|
# =============================================================================
|
|
|
|
# Default authentication flow
|
|
data "authentik_flow" "default_authentication" {
|
|
slug = "default-authentication-flow"
|
|
}
|
|
|
|
# Default authorization flow (implicit consent)
|
|
data "authentik_flow" "default_authorization" {
|
|
slug = "default-provider-authorization-implicit-consent"
|
|
}
|
|
|
|
# Default invalidation flow
|
|
data "authentik_flow" "default_invalidation" {
|
|
slug = "default-invalidation-flow"
|
|
}
|
|
|
|
# Default enrollment flow (for social login)
|
|
data "authentik_flow" "default_enrollment" {
|
|
slug = "default-source-enrollment"
|
|
}
|
|
|
|
# Get certificate for signing
|
|
data "authentik_certificate_key_pair" "generated" {
|
|
name = "authentik Self-signed Certificate"
|
|
}
|
|
|
|
# =============================================================================
|
|
# Brand Configuration
|
|
# =============================================================================
|
|
|
|
data "authentik_brand" "default" {
|
|
domain = "authentik-default"
|
|
}
|
|
|
|
# Update brand with proper domain
|
|
resource "authentik_brand" "main" {
|
|
domain = "authentik.example.com" # TODO: Update to your domain
|
|
default = false
|
|
branding_title = "My Lab" # TODO: Update to your org name
|
|
branding_logo = "/static/dist/assets/icons/icon_left_brand.svg"
|
|
branding_favicon = "/static/dist/assets/icons/icon.png"
|
|
|
|
flow_authentication = data.authentik_flow.default_authentication.id
|
|
flow_invalidation = data.authentik_flow.default_invalidation.id
|
|
}
|
|
|
|
# =============================================================================
|
|
# Groups
|
|
# =============================================================================
|
|
|
|
resource "authentik_group" "admins" {
|
|
name = "Admins"
|
|
is_superuser = true
|
|
}
|
|
|
|
resource "authentik_group" "users" {
|
|
name = "Users"
|
|
}
|
|
|
|
# =============================================================================
|
|
# Applications are defined in applications/*.tf
|
|
# =============================================================================
|