Authentik Terraform Configuration

Infrastructure as Code for Authentik identity provider - manage applications, providers, and SSO via Terraform.

Features

• OAuth2/OIDC Applications: ArgoCD, Grafana
• Proxy Authentication: Home Assistant, Immich, Uptime Kuma, *arr stack
• LDAP Outpost: For legacy application support
• Google OAuth Source: Social login integration

Quick Start

1. Fork/Clone This Repo

git clone https://github.com/ghndrx/authentik-terraform.git
cd authentik-terraform

2. Configure GitHub Secrets

Go to Settings > Secrets and variables > Actions and add:

Secret	Description	Example
AUTHENTIK_URL	Your Authentik server URL	https://auth.example.com
AUTHENTIK_TOKEN	API token from Authentik	ak-...
GOOGLE_CLIENT_ID	Google OAuth client ID	xxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET	Google OAuth secret	GOCSPX-...
ARGOCD_URL	ArgoCD URL	https://argocd.example.com
GRAFANA_URL	Grafana URL	https://grafana.example.com
HOME_ASSISTANT_URL	Home Assistant URL	https://home.example.com
IMMICH_URL	Immich URL	https://photos.example.com
UPTIME_KUMA_URL	Uptime Kuma URL	https://status.example.com
SONARR_URL	Sonarr URL	https://sonarr.example.com
RADARR_URL	Radarr URL	https://radarr.example.com
PROWLARR_URL	Prowlarr URL	https://prowlarr.example.com

3. Create Authentik API Token

1. Log into Authentik as admin
2. Go to Directory > Tokens and App passwords
3. Create a new token with API Access intent
4. Copy the token value

4. (Optional) Set Up Google OAuth

1. Go to Google Cloud Console
2. Create OAuth 2.0 credentials
3. Add authorized redirect URI: https://auth.example.com/source/oauth/callback/google/

5. Deploy

Push to main branch to trigger deployment, or run manually:

# Local development
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values

terraform init
terraform plan
terraform apply

GitHub Actions Workflow

• On PR: Runs terraform plan for review
• On Push to main: Runs terraform apply automatically
• Manual: Can trigger via Actions tab

File Structure

├── .github/workflows/deploy.yml  # CI/CD pipeline
├── main.tf                       # Authentik provider & brand config
├── variables.tf                  # All configurable variables
├── app-*.tf                      # Application configurations
├── ldap-outpost.tf              # LDAP outpost config
├── source-google.tf             # Google OAuth source
└── outputs.tf                   # Useful outputs

Adding New Applications

OAuth2/OIDC Application

# app-myapp.tf
resource "authentik_provider_oauth2" "myapp" {
  name               = "MyApp"
  authorization_flow = data.authentik_flow.default_authorization.id
  client_id          = "myapp"
  client_type        = "confidential"
  
  redirect_uris = [
    "${var.myapp_url}/oauth/callback"
  ]
  
  property_mappings = data.authentik_property_mapping_provider_scope.oauth2.ids
}

resource "authentik_application" "myapp" {
  name              = "MyApp"
  slug              = "myapp"
  protocol_provider = authentik_provider_oauth2.myapp.id
  
  meta_launch_url = var.myapp_url
  meta_icon       = "https://example.com/icon.png"
}

Proxy Authentication

resource "authentik_provider_proxy" "myapp" {
  name               = "MyApp Proxy"
  authorization_flow = data.authentik_flow.default_authorization.id
  external_host      = var.myapp_url
  mode               = "forward_single"
}

resource "authentik_application" "myapp" {
  name              = "MyApp"
  slug              = "myapp"
  protocol_provider = authentik_provider_proxy.myapp.id
}

Terraform State

By default, state is stored locally. For production, configure remote backend:

# backend.tf
terraform {
  backend "s3" {
    bucket = "your-terraform-state"
    key    = "authentik/terraform.tfstate"
    region = "us-east-1"
  }
}

Security Notes

• Never commit terraform.tfvars or any file with secrets
• Use GitHub Actions secrets for CI/CD
• API tokens should have minimal required permissions
• Rotate tokens periodically

Requirements

Name	Version
terraform	>= 1.5.0
authentik	>= 2024.0

License

MIT