Files
terraform-authentik/modules/authentik/main.tf
T
unkinben 97be93a9ff
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
authentik: add Grafana OAuth2/OIDC provider + application
Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
2026-07-06 22:06:48 +10:00

108 lines
3.7 KiB
Terraform

resource "authentik_group" "this" {
for_each = var.groups
name = each.value.name
is_superuser = each.value.is_superuser
parents = each.value.parents != null ? [for p in each.value.parents : authentik_group.this[p].id] : []
attributes = jsonencode(each.value.attributes)
}
resource "authentik_provider_saml" "this" {
for_each = var.providers_saml
name = each.value.name
authorization_flow = each.value.authorization_flow
invalidation_flow = each.value.invalidation_flow
acs_url = each.value.acs_url
sp_binding = each.value.sp_binding
audience = each.value.audience
name_id_mapping = each.value.name_id_mapping
signing_kp = each.value.signing_kp
}
# Resolve oauth2 flows by slug and scope mappings by managed identifier, and
# read client secrets from Vault so nothing sensitive is committed.
data "authentik_flow" "oauth2_authorization" {
for_each = var.providers_oauth2
slug = each.value.authorization_flow
}
data "authentik_flow" "oauth2_invalidation" {
for_each = var.providers_oauth2
slug = each.value.invalidation_flow
}
data "authentik_property_mapping_provider_scope" "oauth2" {
for_each = { for k, v in var.providers_oauth2 : k => v if length(v.scope_mappings) > 0 }
managed_list = each.value.scope_mappings
}
data "vault_kv_secret_v2" "oauth2" {
for_each = { for k, v in var.providers_oauth2 : k => v if v.client_secret_vault != null }
mount = each.value.client_secret_vault.mount
name = each.value.client_secret_vault.path
}
resource "authentik_provider_oauth2" "this" {
for_each = var.providers_oauth2
name = each.value.name
authorization_flow = data.authentik_flow.oauth2_authorization[each.key].id
invalidation_flow = data.authentik_flow.oauth2_invalidation[each.key].id
client_type = each.value.client_type
client_id = each.value.client_id
client_secret = each.value.client_secret_vault != null ? data.vault_kv_secret_v2.oauth2[each.key].data["client_secret"] : null
property_mappings = try(data.authentik_property_mapping_provider_scope.oauth2[each.key].ids, [])
signing_key = each.value.signing_key
access_token_validity = each.value.access_token_validity
allowed_redirect_uris = each.value.redirect_uris
}
resource "authentik_provider_ldap" "this" {
for_each = var.providers_ldap
name = each.value.name
bind_flow = each.value.bind_flow
unbind_flow = each.value.unbind_flow
base_dn = each.value.base_dn
certificate = each.value.certificate
tls_server_name = each.value.tls_server_name
uid_start_number = each.value.uid_start_number
gid_start_number = each.value.gid_start_number
search_mode = each.value.search_mode
bind_mode = each.value.bind_mode
mfa_support = each.value.mfa_support
}
resource "authentik_application" "saml" {
for_each = var.providers_saml
name = each.value.name
slug = each.key
protocol_provider = authentik_provider_saml.this[each.key].id
}
resource "authentik_application" "oauth2" {
for_each = var.providers_oauth2
name = each.value.name
slug = each.key
protocol_provider = authentik_provider_oauth2.this[each.key].id
}
resource "authentik_application" "ldap" {
for_each = var.providers_ldap
name = each.value.name
slug = each.key
protocol_provider = authentik_provider_ldap.this[each.key].id
}
resource "authentik_outpost" "ldap" {
for_each = var.providers_ldap
name = "${each.key}-outpost"
type = "ldap"
protocol_providers = [authentik_provider_ldap.this[each.key].id]
}