resource "authentik_group" "this" { for_each = var.groups name = each.value.name is_superuser = each.value.is_superuser parents = each.value.parents != null ? [for p in each.value.parents : authentik_group.this[p].id] : [] attributes = jsonencode(each.value.attributes) } resource "authentik_provider_saml" "this" { for_each = var.providers_saml name = each.value.name authorization_flow = each.value.authorization_flow invalidation_flow = each.value.invalidation_flow acs_url = each.value.acs_url sp_binding = each.value.sp_binding audience = each.value.audience name_id_mapping = each.value.name_id_mapping signing_kp = each.value.signing_kp } # Resolve oauth2 flows by slug and scope mappings by managed identifier, and # read client secrets from Vault so nothing sensitive is committed. data "authentik_flow" "oauth2_authorization" { for_each = var.providers_oauth2 slug = each.value.authorization_flow } data "authentik_flow" "oauth2_invalidation" { for_each = var.providers_oauth2 slug = each.value.invalidation_flow } data "authentik_property_mapping_provider_scope" "oauth2" { for_each = { for k, v in var.providers_oauth2 : k => v if length(v.scope_mappings) > 0 } managed_list = each.value.scope_mappings } data "vault_kv_secret_v2" "oauth2" { for_each = { for k, v in var.providers_oauth2 : k => v if v.client_secret_vault != null } mount = each.value.client_secret_vault.mount name = each.value.client_secret_vault.path } resource "authentik_provider_oauth2" "this" { for_each = var.providers_oauth2 name = each.value.name authorization_flow = data.authentik_flow.oauth2_authorization[each.key].id invalidation_flow = data.authentik_flow.oauth2_invalidation[each.key].id client_type = each.value.client_type client_id = each.value.client_id client_secret = each.value.client_secret_vault != null ? data.vault_kv_secret_v2.oauth2[each.key].data["client_secret"] : null property_mappings = try(data.authentik_property_mapping_provider_scope.oauth2[each.key].ids, []) signing_key = each.value.signing_key access_token_validity = each.value.access_token_validity allowed_redirect_uris = each.value.redirect_uris } resource "authentik_provider_ldap" "this" { for_each = var.providers_ldap name = each.value.name bind_flow = each.value.bind_flow unbind_flow = each.value.unbind_flow base_dn = each.value.base_dn certificate = each.value.certificate tls_server_name = each.value.tls_server_name uid_start_number = each.value.uid_start_number gid_start_number = each.value.gid_start_number search_mode = each.value.search_mode bind_mode = each.value.bind_mode mfa_support = each.value.mfa_support } resource "authentik_application" "saml" { for_each = var.providers_saml name = each.value.name slug = each.key protocol_provider = authentik_provider_saml.this[each.key].id } resource "authentik_application" "oauth2" { for_each = var.providers_oauth2 name = each.value.name slug = each.key protocol_provider = authentik_provider_oauth2.this[each.key].id } resource "authentik_application" "ldap" { for_each = var.providers_ldap name = each.value.name slug = each.key protocol_provider = authentik_provider_ldap.this[each.key].id } resource "authentik_outpost" "ldap" { for_each = var.providers_ldap name = "${each.key}-outpost" type = "ldap" protocol_providers = [authentik_provider_ldap.this[each.key].id] }