Adding the first managed group (argocd-admins) exposed a dormant bug: the
groups resource resolved `parents` by indexing authentik_group.this itself,
which OpenTofu rejects as a self-referential block. config/groups/ had been
empty, so `tofu plan` never hit it before.
Pass `parents` through as literal group PKs instead (the resource cannot
reference itself, so parent-by-map-key was never viable). Plan is clean:
3 to add (argocd provider, application, argocd-admins group).
Extends Authentik SSO to ArgoCD so cluster operators log in with their
Authentik identity and group membership instead of the local admin account.
- Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider +
application (slug argocd), client_id argocd, openid/email/profile scopes,
web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from
Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching
the existing Grafana pattern.
The CI VAULT_TOKEN (short-lived k8s-auth role token) can't create child
tokens, so the vault provider failed with 'failed to create limited child
token: permission denied'. Use the token directly.
The authentik provider needs a token but nothing supplied it, so plan
failed with 'No value for required variable authentik_token'. Source it
from Vault in vault_env like the consul creds, from the dedicated
terraform-service path kv/service/terraform/authentik (field: token),
overridable via AUTHENTIK_TOKEN_KV_* vars.
The module's versions.tf and the root.hcl-generated backend.tf both
declared required_providers, which OpenTofu rejects ("A module may have
only one required providers configuration"), so terragrunt init/plan
failed. Keep them in the module's versions.tf (authentik + vault) and
generate only the backend + provider blocks.
Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.
Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
and scope mappings by managed identifier
(data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.
config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
- Terraform module for groups, SAML/OAuth2/LDAP providers, applications, and LDAP outposts
- Data-driven YAML config with Terragrunt config loader
- Environment: identity.unkin.net with Consul backend
- Provider: goauthentik/authentik 2026.5.0
- Woodpecker CI pipelines (pre-commit, plan, apply)
- Makefile with Vault AppRole and K8s auth support