mirror of
https://github.com/ghndrx/authentik-terraform.git
synced 2026-02-10 06:44:58 +00:00
9a9a47a6a4
- Add security-policies.tf: - Strong password policy (12 chars, HIBP check, zxcvbn scoring) - Password reuse prevention (last 5 passwords) - Brute force protection (reputation policy, 5 attempt threshold) - MFA stages: TOTP, WebAuthn/Passkeys, recovery codes - MFA validation stage with configurable enforcement - Admin-only and MFA-required expression policies - Add rbac-groups.tf: - Media group (Sonarr, Radarr, etc.) - Infrastructure group (Grafana, ArgoCD, etc.) - Home Automation group (Home Assistant) - Group-based access policies - Fix main.tf: Remove SOPS, use variables for token - Fix versions.tf: Remove unused SOPS provider - Update README with security documentation
81 lines
2.6 KiB
HCL
81 lines
2.6 KiB
HCL
# =============================================================================
|
|
# Authentik Terraform Configuration
|
|
# Update the domain below to match your Authentik instance
|
|
# =============================================================================
|
|
|
|
# Authentik Provider Configuration
|
|
# Token provided via:
|
|
# - GitHub Actions secrets (CI/CD)
|
|
# - terraform.tfvars (local dev - never commit!)
|
|
# - TF_VAR_authentik_token environment variable
|
|
provider "authentik" {
|
|
url = var.authentik_url
|
|
token = var.authentik_token
|
|
}
|
|
|
|
# =============================================================================
|
|
# Data Sources - Existing Resources
|
|
# =============================================================================
|
|
|
|
# Default authentication flow
|
|
data "authentik_flow" "default_authentication" {
|
|
slug = "default-authentication-flow"
|
|
}
|
|
|
|
# Default authorization flow (implicit consent)
|
|
data "authentik_flow" "default_authorization" {
|
|
slug = "default-provider-authorization-implicit-consent"
|
|
}
|
|
|
|
# Default invalidation flow
|
|
data "authentik_flow" "default_invalidation" {
|
|
slug = "default-invalidation-flow"
|
|
}
|
|
|
|
# Default enrollment flow (for social login)
|
|
data "authentik_flow" "default_enrollment" {
|
|
slug = "default-source-enrollment"
|
|
}
|
|
|
|
# Get certificate for signing
|
|
data "authentik_certificate_key_pair" "generated" {
|
|
name = "authentik Self-signed Certificate"
|
|
}
|
|
|
|
# =============================================================================
|
|
# Brand Configuration
|
|
# =============================================================================
|
|
|
|
data "authentik_brand" "default" {
|
|
domain = "authentik-default"
|
|
}
|
|
|
|
# Update brand with proper domain
|
|
resource "authentik_brand" "main" {
|
|
domain = "authentik.example.com" # TODO: Update to your domain
|
|
default = false
|
|
branding_title = "My Lab" # TODO: Update to your org name
|
|
branding_logo = "/static/dist/assets/icons/icon_left_brand.svg"
|
|
branding_favicon = "/static/dist/assets/icons/icon.png"
|
|
|
|
flow_authentication = data.authentik_flow.default_authentication.id
|
|
flow_invalidation = data.authentik_flow.default_invalidation.id
|
|
}
|
|
|
|
# =============================================================================
|
|
# Groups
|
|
# =============================================================================
|
|
|
|
resource "authentik_group" "admins" {
|
|
name = "Admins"
|
|
is_superuser = true
|
|
}
|
|
|
|
resource "authentik_group" "users" {
|
|
name = "Users"
|
|
}
|
|
|
|
# =============================================================================
|
|
# Applications are defined in applications/*.tf
|
|
# =============================================================================
|