7636d45f21
Adding the first managed group (argocd-admins) exposed a dormant bug: the groups resource resolved `parents` by indexing authentik_group.this itself, which OpenTofu rejects as a self-referential block. config/groups/ had been empty, so `tofu plan` never hit it before. Pass `parents` through as literal group PKs instead (the resource cannot reference itself, so parent-by-map-key was never viable). Plan is clean: 3 to add (argocd provider, application, argocd-admins group).
108 lines
3.6 KiB
Terraform
108 lines
3.6 KiB
Terraform
resource "authentik_group" "this" {
|
|
for_each = var.groups
|
|
|
|
name = each.value.name
|
|
is_superuser = each.value.is_superuser
|
|
parents = each.value.parents
|
|
attributes = jsonencode(each.value.attributes)
|
|
}
|
|
|
|
resource "authentik_provider_saml" "this" {
|
|
for_each = var.providers_saml
|
|
|
|
name = each.value.name
|
|
authorization_flow = each.value.authorization_flow
|
|
invalidation_flow = each.value.invalidation_flow
|
|
acs_url = each.value.acs_url
|
|
sp_binding = each.value.sp_binding
|
|
audience = each.value.audience
|
|
name_id_mapping = each.value.name_id_mapping
|
|
signing_kp = each.value.signing_kp
|
|
}
|
|
|
|
# Resolve oauth2 flows by slug and scope mappings by managed identifier, and
|
|
# read client secrets from Vault so nothing sensitive is committed.
|
|
data "authentik_flow" "oauth2_authorization" {
|
|
for_each = var.providers_oauth2
|
|
slug = each.value.authorization_flow
|
|
}
|
|
|
|
data "authentik_flow" "oauth2_invalidation" {
|
|
for_each = var.providers_oauth2
|
|
slug = each.value.invalidation_flow
|
|
}
|
|
|
|
data "authentik_property_mapping_provider_scope" "oauth2" {
|
|
for_each = { for k, v in var.providers_oauth2 : k => v if length(v.scope_mappings) > 0 }
|
|
managed_list = each.value.scope_mappings
|
|
}
|
|
|
|
data "vault_kv_secret_v2" "oauth2" {
|
|
for_each = { for k, v in var.providers_oauth2 : k => v if v.client_secret_vault != null }
|
|
mount = each.value.client_secret_vault.mount
|
|
name = each.value.client_secret_vault.path
|
|
}
|
|
|
|
resource "authentik_provider_oauth2" "this" {
|
|
for_each = var.providers_oauth2
|
|
|
|
name = each.value.name
|
|
authorization_flow = data.authentik_flow.oauth2_authorization[each.key].id
|
|
invalidation_flow = data.authentik_flow.oauth2_invalidation[each.key].id
|
|
client_type = each.value.client_type
|
|
client_id = each.value.client_id
|
|
client_secret = each.value.client_secret_vault != null ? data.vault_kv_secret_v2.oauth2[each.key].data["client_secret"] : null
|
|
property_mappings = try(data.authentik_property_mapping_provider_scope.oauth2[each.key].ids, [])
|
|
signing_key = each.value.signing_key
|
|
access_token_validity = each.value.access_token_validity
|
|
allowed_redirect_uris = each.value.redirect_uris
|
|
}
|
|
|
|
resource "authentik_provider_ldap" "this" {
|
|
for_each = var.providers_ldap
|
|
|
|
name = each.value.name
|
|
bind_flow = each.value.bind_flow
|
|
unbind_flow = each.value.unbind_flow
|
|
base_dn = each.value.base_dn
|
|
certificate = each.value.certificate
|
|
tls_server_name = each.value.tls_server_name
|
|
uid_start_number = each.value.uid_start_number
|
|
gid_start_number = each.value.gid_start_number
|
|
search_mode = each.value.search_mode
|
|
bind_mode = each.value.bind_mode
|
|
mfa_support = each.value.mfa_support
|
|
}
|
|
|
|
resource "authentik_application" "saml" {
|
|
for_each = var.providers_saml
|
|
|
|
name = each.value.name
|
|
slug = each.key
|
|
protocol_provider = authentik_provider_saml.this[each.key].id
|
|
}
|
|
|
|
resource "authentik_application" "oauth2" {
|
|
for_each = var.providers_oauth2
|
|
|
|
name = each.value.name
|
|
slug = each.key
|
|
protocol_provider = authentik_provider_oauth2.this[each.key].id
|
|
}
|
|
|
|
resource "authentik_application" "ldap" {
|
|
for_each = var.providers_ldap
|
|
|
|
name = each.value.name
|
|
slug = each.key
|
|
protocol_provider = authentik_provider_ldap.this[each.key].id
|
|
}
|
|
|
|
resource "authentik_outpost" "ldap" {
|
|
for_each = var.providers_ldap
|
|
|
|
name = "${each.key}-outpost"
|
|
type = "ldap"
|
|
protocol_providers = [authentik_provider_ldap.this[each.key].id]
|
|
}
|