Initial scaffold
- Terraform module for groups, SAML/OAuth2/LDAP providers, applications, and LDAP outposts - Data-driven YAML config with Terragrunt config loader - Environment: identity.unkin.net with Consul backend - Provider: goauthentik/authentik 2026.5.0 - Woodpecker CI pipelines (pre-commit, plan, apply) - Makefile with Vault AppRole and K8s auth support
This commit is contained in:
@@ -0,0 +1,85 @@
|
||||
resource "authentik_group" "this" {
|
||||
for_each = var.groups
|
||||
|
||||
name = each.value.name
|
||||
is_superuser = each.value.is_superuser
|
||||
parent = each.value.parent != null ? authentik_group.this[each.value.parent].id : null
|
||||
attributes = jsonencode(each.value.attributes)
|
||||
}
|
||||
|
||||
resource "authentik_provider_saml" "this" {
|
||||
for_each = var.providers_saml
|
||||
|
||||
name = each.value.name
|
||||
authorization_flow = each.value.authorization_flow
|
||||
acs_url = each.value.acs_url
|
||||
issuer = each.value.issuer
|
||||
sp_binding = each.value.sp_binding
|
||||
audience = each.value.audience
|
||||
name_id_mapping = each.value.name_id_mapping
|
||||
signing_kp = each.value.signing_kp
|
||||
}
|
||||
|
||||
resource "authentik_provider_oauth2" "this" {
|
||||
for_each = var.providers_oauth2
|
||||
|
||||
name = each.value.name
|
||||
authorization_flow = each.value.authorization_flow
|
||||
client_type = each.value.client_type
|
||||
client_id = each.value.client_id
|
||||
client_secret = each.value.client_secret
|
||||
redirect_uris = each.value.redirect_uris
|
||||
property_mappings = each.value.property_mappings
|
||||
signing_key = each.value.signing_key
|
||||
access_token_validity = each.value.access_token_validity
|
||||
}
|
||||
|
||||
resource "authentik_provider_ldap" "this" {
|
||||
for_each = var.providers_ldap
|
||||
|
||||
name = each.value.name
|
||||
authorization_flow = each.value.authorization_flow
|
||||
base_dn = each.value.base_dn
|
||||
bind_flow = each.value.bind_flow
|
||||
search_group = each.value.search_group
|
||||
certificate = each.value.certificate
|
||||
tls_server_name = each.value.tls_server_name
|
||||
uid_start_number = each.value.uid_start_number
|
||||
gid_start_number = each.value.gid_start_number
|
||||
search_mode = each.value.search_mode
|
||||
bind_mode = each.value.bind_mode
|
||||
mfa_support = each.value.mfa_support
|
||||
}
|
||||
|
||||
resource "authentik_application" "saml" {
|
||||
for_each = var.providers_saml
|
||||
|
||||
name = each.value.name
|
||||
slug = each.key
|
||||
protocol_provider = authentik_provider_saml.this[each.key].id
|
||||
}
|
||||
|
||||
resource "authentik_application" "oauth2" {
|
||||
for_each = var.providers_oauth2
|
||||
|
||||
name = each.value.name
|
||||
slug = each.key
|
||||
protocol_provider = authentik_provider_oauth2.this[each.key].id
|
||||
}
|
||||
|
||||
resource "authentik_application" "ldap" {
|
||||
for_each = var.providers_ldap
|
||||
|
||||
name = each.value.name
|
||||
slug = each.key
|
||||
protocol_provider = authentik_provider_ldap.this[each.key].id
|
||||
}
|
||||
|
||||
resource "authentik_outpost" "ldap" {
|
||||
for_each = var.providers_ldap
|
||||
|
||||
name = "${each.key}-outpost"
|
||||
type = "ldap"
|
||||
protocol_providers = [authentik_provider_ldap.this[each.key].id]
|
||||
service_connection = "local"
|
||||
}
|
||||
@@ -0,0 +1,56 @@
|
||||
variable "groups" {
|
||||
type = map(object({
|
||||
name = string
|
||||
is_superuser = optional(bool, false)
|
||||
parent = optional(string, null)
|
||||
attributes = optional(map(string), {})
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "providers_saml" {
|
||||
type = map(object({
|
||||
name = string
|
||||
authorization_flow = string
|
||||
acs_url = string
|
||||
issuer = optional(string, null)
|
||||
sp_binding = optional(string, "post")
|
||||
audience = optional(string, "")
|
||||
name_id_mapping = optional(string, null)
|
||||
signing_kp = optional(string, null)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "providers_oauth2" {
|
||||
type = map(object({
|
||||
name = string
|
||||
authorization_flow = string
|
||||
client_type = optional(string, "confidential")
|
||||
client_id = optional(string, null)
|
||||
client_secret = optional(string, null)
|
||||
redirect_uris = optional(list(string), [])
|
||||
property_mappings = optional(list(string), [])
|
||||
signing_key = optional(string, null)
|
||||
access_token_validity = optional(string, "minutes=5")
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "providers_ldap" {
|
||||
type = map(object({
|
||||
name = string
|
||||
authorization_flow = string
|
||||
base_dn = string
|
||||
bind_flow = optional(string, null)
|
||||
search_group = optional(string, null)
|
||||
certificate = optional(string, null)
|
||||
tls_server_name = optional(string, null)
|
||||
uid_start_number = optional(number, 2000)
|
||||
gid_start_number = optional(number, 4000)
|
||||
search_mode = optional(string, "cached")
|
||||
bind_mode = optional(string, "cached")
|
||||
mfa_support = optional(bool, true)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
Reference in New Issue
Block a user