diff --git a/modules/authentik/.terraform.lock.hcl b/modules/authentik/.terraform.lock.hcl new file mode 100644 index 0000000..28423cf --- /dev/null +++ b/modules/authentik/.terraform.lock.hcl @@ -0,0 +1,23 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2026.5.0" + constraints = ">= 2026.5.0" + hashes = [ + "h1:SeznjPKBzSrgo8WasRnuxiGMDSeQHEKsv3U/xw8bhQE=", + "zh:0dc1706f6fbff866f4a96de56a4934b9a277954bcdd0713549a29a9b8ec85153", + "zh:218417ec4e864f2d7e585d6c08d39bccb96d8f3bca16c6f762be15365e434234", + "zh:24f9afa7a1174316da3478811848cd76ef348d8a983310b8d75ed6f45abe1a92", + "zh:560092e47cb8a72b890b3eeafe1803202cd25cf27f5f5a6e2c370f645f5d86ae", + "zh:5bc69d8de198007ad1587e146f98cffacf0d1a571800da549b308ff5f4541474", + "zh:65248dce941472ad2a30d0754d2f3c2db6bb6fe5080946316fb097d6ba7cc79f", + "zh:79c9a59a8d3c60280e27a064668889594da44c60f940b046b7c8e63be01067d0", + "zh:87f26cadcd842d6e6d0af94ef0e56860557f5d07f487b10d69d38b63af68bea5", + "zh:8e42c9d0e77d61cc2e5f8c8b761f6e484774d93771927b4cb5fbdae41209dd33", + "zh:94ff632b9b4841527c6b652d51a850a8a47c84c0308a3efc189e0ff7e2558f87", + "zh:b8d32d9f17a905b63c87a23306c02c295b7c8b70f72950071aa3086396932816", + "zh:c91982af99474fc2e4e69be36ed3a68847f261963ed79f6a546fc75703992f99", + "zh:eb9c1fd3020cf61e9b7a6a38d2965f4b521495a9928705e963459a4af857f97d", + ] +} diff --git a/modules/authentik/main.tf b/modules/authentik/main.tf index b8fba79..b5190e0 100644 --- a/modules/authentik/main.tf +++ b/modules/authentik/main.tf @@ -3,7 +3,7 @@ resource "authentik_group" "this" { name = each.value.name is_superuser = each.value.is_superuser - parent = each.value.parent != null ? authentik_group.this[each.value.parent].id : null + parents = each.value.parents != null ? [for p in each.value.parents : authentik_group.this[p].id] : [] attributes = jsonencode(each.value.attributes) } @@ -12,8 +12,8 @@ resource "authentik_provider_saml" "this" { name = each.value.name authorization_flow = each.value.authorization_flow + invalidation_flow = each.value.invalidation_flow acs_url = each.value.acs_url - issuer = each.value.issuer sp_binding = each.value.sp_binding audience = each.value.audience name_id_mapping = each.value.name_id_mapping @@ -23,32 +23,31 @@ resource "authentik_provider_saml" "this" { resource "authentik_provider_oauth2" "this" { for_each = var.providers_oauth2 - name = each.value.name - authorization_flow = each.value.authorization_flow - client_type = each.value.client_type - client_id = each.value.client_id - client_secret = each.value.client_secret - redirect_uris = each.value.redirect_uris - property_mappings = each.value.property_mappings - signing_key = each.value.signing_key + name = each.value.name + authorization_flow = each.value.authorization_flow + invalidation_flow = each.value.invalidation_flow + client_type = each.value.client_type + client_id = each.value.client_id + client_secret = each.value.client_secret + property_mappings = each.value.property_mappings + signing_key = each.value.signing_key access_token_validity = each.value.access_token_validity } resource "authentik_provider_ldap" "this" { for_each = var.providers_ldap - name = each.value.name - authorization_flow = each.value.authorization_flow - base_dn = each.value.base_dn - bind_flow = each.value.bind_flow - search_group = each.value.search_group - certificate = each.value.certificate - tls_server_name = each.value.tls_server_name - uid_start_number = each.value.uid_start_number - gid_start_number = each.value.gid_start_number - search_mode = each.value.search_mode - bind_mode = each.value.bind_mode - mfa_support = each.value.mfa_support + name = each.value.name + bind_flow = each.value.bind_flow + unbind_flow = each.value.unbind_flow + base_dn = each.value.base_dn + certificate = each.value.certificate + tls_server_name = each.value.tls_server_name + uid_start_number = each.value.uid_start_number + gid_start_number = each.value.gid_start_number + search_mode = each.value.search_mode + bind_mode = each.value.bind_mode + mfa_support = each.value.mfa_support } resource "authentik_application" "saml" { @@ -81,5 +80,4 @@ resource "authentik_outpost" "ldap" { name = "${each.key}-outpost" type = "ldap" protocol_providers = [authentik_provider_ldap.this[each.key].id] - service_connection = "local" } diff --git a/modules/authentik/variables.tf b/modules/authentik/variables.tf index e40db37..9095a19 100644 --- a/modules/authentik/variables.tf +++ b/modules/authentik/variables.tf @@ -1,9 +1,9 @@ variable "groups" { type = map(object({ - name = string + name = string is_superuser = optional(bool, false) - parent = optional(string, null) - attributes = optional(map(string), {}) + parents = optional(list(string), null) + attributes = optional(map(string), {}) })) default = {} } @@ -12,9 +12,9 @@ variable "providers_saml" { type = map(object({ name = string authorization_flow = string + invalidation_flow = string acs_url = string - issuer = optional(string, null) - sp_binding = optional(string, "post") + sp_binding = optional(string, "redirect") audience = optional(string, "") name_id_mapping = optional(string, null) signing_kp = optional(string, null) @@ -24,33 +24,32 @@ variable "providers_saml" { variable "providers_oauth2" { type = map(object({ - name = string - authorization_flow = string - client_type = optional(string, "confidential") - client_id = optional(string, null) - client_secret = optional(string, null) - redirect_uris = optional(list(string), []) - property_mappings = optional(list(string), []) - signing_key = optional(string, null) - access_token_validity = optional(string, "minutes=5") + name = string + authorization_flow = string + invalidation_flow = string + client_type = optional(string, "confidential") + client_id = string + client_secret = optional(string, null) + property_mappings = optional(list(string), []) + signing_key = optional(string, null) + access_token_validity = optional(string, "minutes=10") })) default = {} } variable "providers_ldap" { type = map(object({ - name = string - authorization_flow = string - base_dn = string - bind_flow = optional(string, null) - search_group = optional(string, null) - certificate = optional(string, null) - tls_server_name = optional(string, null) - uid_start_number = optional(number, 2000) - gid_start_number = optional(number, 4000) - search_mode = optional(string, "cached") - bind_mode = optional(string, "cached") - mfa_support = optional(bool, true) + name = string + bind_flow = string + unbind_flow = string + base_dn = string + certificate = optional(string, null) + tls_server_name = optional(string, null) + uid_start_number = optional(number, 2000) + gid_start_number = optional(number, 4000) + search_mode = optional(string, "direct") + bind_mode = optional(string, "direct") + mfa_support = optional(bool, true) })) default = {} } diff --git a/modules/authentik/versions.tf b/modules/authentik/versions.tf new file mode 100644 index 0000000..af40006 --- /dev/null +++ b/modules/authentik/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + authentik = { + source = "goauthentik/authentik" + version = ">= 2026.5.0" + } + } +}