Manage https://goauthentik.io with terraform.
Home Page: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs
License: GNU General Public License v3.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
Currently, the terraform provider causes an inconsistent client_secret when the backend generates it. This causes other resources that use that client secret to then fail to create because of inconsistent input data.
Terraform version: 2022.6.3
Authentik version: 2022.5.3
I believe it is an issue with the storage as running the system in trace mode shows the api return to be consistent, but for it not to be what was stored in tfstate. This would be either an issue when the secret is deserialized from json or when it is stored.
A trivial example between connecting authentik with hashicorp vault:
resource "authentik_provider_oauth2" "vault" {
name = "vault"
client_id = "vault"
signing_key = "SomeEXISTINGKEy
authorization_flow = "6c990535-adcf-4196-8b87-4ec8548c1b20"
redirect_uris = [
"http://localhost:8200/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8200/oidc/callback",
"http://localhost:8250/oidc/callback",
]
}
resource "authentik_application" "vault" {
name = "Vault"
slug = "vault"
protocol_provider = authentik_provider_oauth2.vault.id
}
resource "vault_jwt_auth_backend" "authentik" {
type = "oidc"
path = "oidc"
description = "out authentik backend"
oidc_client_id = authentik_provider_oauth2.vault.client_id
oidc_client_secret = authentik_provider_oauth2.vault.client_secret
oidc_discovery_url = "http://localhost:9000/application/o/${authentik_application.vault.slug}/"
default_role = "reader"
tune {
listing_visibility = "unauth"
}
}This will error with the following:
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for vault_jwt_auth_backend.authentik to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/vault" produced an
│ invalid new value for .oidc_client_secret: inconsistent values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵However, running terraform in trace mode will show more detail:
{"pk":4,"name":"vault","authorization_flow":"6c990535-adcf-4196-8b87-4ec8548c1b20","property_mappings":[],"component":"ak-provider-oauth2-form","assigned_application_slug":"vault","assigned_application_name":"Vault","verbose_name":"OAuth2/OpenID Provider","verbose_name_plural":"OAuth2/OpenID Providers","meta_model_name":"authentik_providers_oauth2.oauth2provider","client_type":"confidential","client_id":"vault","client_secret":"QG`}7gW|M#%$Mu,$I;{RSF_M[7x\\4Ub1qORcx4xS[7?g9>=rRYuj=GK^,_!s0^QX+MSTL-GV#TX_D\\rg-UzESGE@wnGZw0c:UuxFvq|SYIZ0M)C}rg1HMjh&.urHN!sO","access_code_validity":"minutes=1","token_validity":"minutes=10","include_claims_in_id_token":true,"signing_key":"2478cf44-fa23-42c0-9370-a8fd12c61aeb","redirect_uris":"http://localhost:8200/ui/vault/auth/oidc/oidc/callback\nhttp://localhost:8200/oidc/callback\nhttp://localhost:8250/oidc/callback","sub_mode":"hashed_user_id","issuer_mode":"per_provider","verification_keys":[]}: timestamp=2022-07-04T00:29:13.502-0400
2022-07-04T00:29:13.503-0400 [INFO] provider.terraform-provider-authentik_v2022.6.3: 2022/07/04 00:29:13
GET /api/v3/providers/oauth2/4/ HTTP/1.1
Host: localhost:9000
User-Agent: [email protected]
Accept: application/json
Authorization: Bearer cHMFTeCsS2T1lPyXcwaUELBqKutqyxOlfFueGs0i15EC3JXjDTHRqrBJrUFVM2l39KRjrCUcjvWRNQ8voDbz9in5KglzKrb0k5sZvdQzRN9uejSMBWTJWi8mvjWkJpAM
Accept-Encoding: gzip
: timestamp=2022-07-04T00:29:13.502-0400
2022-07-04T00:29:13.547-0400 [WARN] Provider "provider[\"registry.terraform.io/goauthentik/authentik\"]" produced an unexpected new value for authentik_provider_oauth2.vault, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .client_secret: inconsistent values for sensitive attributeSo the client secret is detected drifting and this is indeed the case, inspecting the tfstate file I find:
"client_secret": "QG`}7gW|M#%$Mu,$I;{RSF_M[7x\\4Ub1qORcx4xS[7?g9\u003e=rRYuj=GK^,_!s0^QX+MSTL-GV#TX_D\\rg-UzESGE@wnGZw0c:UuxFvq|SYIZ0M)C}rg1HMjh\u0026.urHN!sO",For ease of comparison, the client_secret from the api response repeated here to make it easier to see:
"client_secret":"QG`}7gW|M#%$Mu,$I;{RSF_M[7x\\4Ub1qORcx4xS[7?g9>=rRYuj=GK^,_!s0^QX+MSTL-GV#TX_D\\rg-UzESGE@wnGZw0c:UuxFvq|SYIZ0M)C}rg1HMjh&.urHN!sO"It appears it has incorrectly translated some of the characters into unicode when storing them that is causing issues.
Outpost cost ressources (since they are create deployments).
Authentik clearly allow to share an outpost between many provider/application.
Yet I don't see a single way to do this using this provider.
The official kubernetes provider allow to modify existing object using :
https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/labels
Something related to this would help a lot.
a bit related to #341 or #310.
But the options of creating a new outpost for every application willing to use authentik is clearly not viable.
This endpoint is not covered by the provider, as a work-around for now using the http provider :
locals {
password = "some password"
userid = "xyz"
request_headers = {
"Content-Type" = "application/json"
Authorization = "Bearer ${local.authentik-token}"
}
}
data "http" "gitea_ldapsearch_password" {
url = "https://${var.authentik-url}/api/v3/core/users/${local.userid}/set_password/"
method = "POST"
request_headers = local.request_headers
request_body = jsonencode({password=local.password})
lifecycle {
postcondition {
condition = contains([201, 204], self.status_code)
error_message = "Status code invalid"
}
}
}
Hello there!
First of all, thanks for all your work ! It's so good to have a complete solution as Authentik and also to be able to manage it via terraform.
What I'm trying to do right now is create a flow from an existing blueprint. The documentation comments on two options:
The first option is managed by the terraform resource authentik_blueprint. The blueprint is created but it doesn't appear as a flow.
My question (or feature request if not possible) would be is it possible to create a flow using a blueprint file from terraform?
It's possible to do it as I've done it myself via the webpage and is also stated in the capture I posted, if I understand it correct.
If I can add more information, just tell me to.
Thanks!
I have the next resource
resource "authentik_stage_prompt_field" "username" {
field_key = "username"
label = "Username"
type = "text"
order = 200
placeholder = <<EOT
try:
return user.username
except:
return ''
EOT
placeholder_expression = true
required = true
}
Whenever I do a terraform plan or terraform apply the placeholder shows as a change even though it doesn't change anything
# authentik_stage_prompt_field.username will be updated in-place
~ resource "authentik_stage_prompt_field" "username" {
field_key = "username"
id = "336a7a60-c42c-46e4-ba16-329ffc82edc1"
label = "Username"
order = 200
~ placeholder = <<~EOT
try:
return user.username
except:
return ''
EOT
placeholder_expression = true
required = true
type = "text"
}
Until this issue is solved you can patch it by adding a lifecycle directive to your resource definition
lifecycle {
ignore_changes = [
placeholder,
]
}Note: it only happens on resources that have placeholder_expression = true
I am seeing this in many different resources with the authentik provider: a resource was created in the past, and an subsequent "terraform apply" will falsely try to create the resource, either thinking it does not currently exist or it has changed and needs to be replaced. For example:
resource "authentik_provider_proxy" "the_proxy" {
count = 1
name = "some-proxy"
mode = "forward_single"
internal_host = null
external_host = "https://some-service.example.com"
authorization_flow = data.authentik_flow.default-authorization-flow.id
access_token_validity = "hours=12"
}With the following logs:
authentik_provider_proxy.the_proxy[0]: Refreshing state... [id=1]
and then
Error: HTTP Error '400 Bad Request' during request 'POST /api/v3/providers/proxy/': "{"name":["provider with this name already exists."]}"
I have no idea how to reproduce this. Currently on provider version 2024.2.0, and authentik 2024.2.1.
I am trying to set meta_icon in several applications, but am running into an issue. If I try to use the full actual path "/media/application-icons/whatever.png" in terraform, after applying, it is set to "/media/media/application-icons/whatever.png", which doesn't work. I changed my terraform file to use the path "/application-icons/whatever.png" which works and Authentik shows the icon, but then terraform wants to modify the value everytime as the API returns "/media/application-icons/whatever.png".
Using v2023.8.0
I've found two more missing properties:
Missing property in authentik_stage_authenticator_validate : webauthn_user_verification
Missing property in authentik_stage_user_login : remember_me_offset
Cheers and thanks!
Hello! First I want to congratulate for the amazing authentik!! It's fabulous!
I need some help...I can create an application and proxy provider, and I want to attach the application to default outpost "authentik Embedded Outpost". I'm aware that this issue is similar to #310 but the user there solved it creating a new outpost for k8s, I tried creating a new outpost for the docker connection but it didn't work for me. Only attaching to the default outpost did.
Could you evaluate to create a data source for authentik_outpost?
Hello!
In the new version of authentik, the hibp policy is combined with the password policy.
So when will you update the terraform resources?
Thank you !)
In Authentik you can configure some WebAuthn specific properties that are not reflected in the terraform provider:
user_verification)resident_key_requirement)authenticator_attachment)All these properties are exported if you export a flow containing a WebAuthn Stage. You can see them in model here and their support through authentik api here.
It would be nice, if these properties were configurable through terraform too.
Terraform keeps suggesting to change the order of the sources in my authentik_stage_identification resource.
# authentik_stage_identification.my-authentication-identification has changed
~ resource "authentik_stage_identification" "my-authentication-identification" {
id = "e742627a-b9a7-4331-93be-30d98328fd8f"
name = "my-authentication-identification"
~ sources = [
- "5eb885ab-d1a9-4404-b3a6-ab58bacbaccf",
"a1043bac-3475-4d04-9b04-4126ac3c486a",
+ "5eb885ab-d1a9-4404-b3a6-ab58bacbaccf",
]
# (4 unchanged attributes hidden)
}
I've tried applying the change or changing the order in my code but it keeps happening. Even adding a lifecycle ignore_changes sources doesn't make it go away.
resource "authentik_stage_identification" "my-authentication-identification" {
name = "my-authentication-identification"
user_fields = ["username", "email"]
show_source_labels = true
sources = [
data.authentik_source.inbuilt.uuid,
authentik_source_oauth.azure_ad.uuid,
]
lifecycle {
ignore_changes = [
sources,
]
}
}
version = "2023.5.0"
I am setting up authentik with manually deployed LDAP outpost and I figured out how to create almost everything, including the bind dn account as a service account, through terraform. The thing I can't do is create an API access token to use with the bind dn account. This would require a new resource (authentik_api_token) unless there is a magic user attribute which makes authentik create an API token on user creation.
Hi,
I'm trying to follow https://goauthentik.io/integrations/sources/google/#username-mapping as code.
I came up with this:
resource "authentik_policy_expression" "username" {
name = "username"
expression = <<EOT
email = request.context["prompt_data"]["email"]
request.context["prompt_data"]["username"] = email[0] + email.split('@')[0].split('.')[1]
return False
EOT
}
data "authentik_stage" "default-source-enrollment-prompt" {
name = "default-source-enrollment-prompt"
}
resource "authentik_policy_binding" "username-enrollment" {
target = data.authentik_stage.default-source-enrollment-prompt.id
policy = authentik_policy_expression.username.id
order = 0
}
The authentik_policy_binding doesn't seems to like my target argument. I tried creating manually the binding, and importing it, I now have an ID for target that doesn't match anything. I tried dumping authentik DB to see where this ID is mentioned, and it's mentioned only once, in the table public.authentik_flows_flowstagebinding.
I think there is no way to bind an expression policy to a stage currently
It appears there is no resource nor data source that we could use to provide or access an OAuth Scope Mapping.
It would be nice to have one.
Perhaps authentik_property_mapping_oauth or authentik_property_mapping_oauth_scope to keep it consistent with the existing naming?
Hi.
I did password recovery, added policy HIBP to it, but it doesn't work like that, because the policy is waiting for the password field, but it doesn't let you enter the password. If this policy is set to a lower level, the policy does not check the password.
Tell me what I'm doing wrong, and how to set this policy correctly.
The fields in authentik_outpost.config are not all recognised/applied.
Fields:
these 2 are always using the system default values.
Others seem to work fine (not tested all).
Changing these values in the authentik admin ui works as intended.
terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2022.1.1"
}
}
}
data "authentik_flow" "default_provider_authorization_explicit_consent" {
slug = "default-provider-authorization-explicit-consent"
}
resource "authentik_provider_proxy" "test" {
name = "test"
internal_host = "http://test.default.svc.cluster.local"
external_host = "https://test.domain.io"
authorization_flow = data.authentik_flow.default_provider_authorization_explicit_consent.id
}
resource "authentik_service_connection_kubernetes" "local" {
name = "Local Kubernetes Cluster"
local = true
}
resource "authentik_outpost" "test" {
name = "test"
service_connection = authentik_service_connection_kubernetes.local.id
protocol_providers = [
authentik_provider_proxy.test.id
]
type = "proxy"
config = jsonencode(
{
authentik_host = "https://authentik.domain.io"
authentik_host_browser = ""
authentik_host_insecure = false
container_image = null
docker_labels = null
docker_map_ports = true
docker_network = null
kubernetes_disabled_components = []
kubernetes_image_pull_secrets = []
kubernetes_ingress_annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt-production"
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
}
kubernetes_ingress_secret_name = "authentik-outpost-test-cert"
kubernetes_namespace = "authentik-system"
kubernetes_replicas = 1
kubernetes_service_type = "ClusterIP"
log_level = "debug"
object_naming_template = "ak-outpost-%(name)s"
}
)
}
Config fields should accept all values.
Prevent creation of ingress and create ingress with terraform :/
I've found two more missing properties:
Missing properties in authentik_provider_scim : exclude service accounts and group.
Both are part of User Filtering
When setting the background attribute of authentik_flow to either a path within Authentik (e.g., /media/public/flow-backgrounds/background.png) or to a URL as per the documentation, Terraform reports that the resource was successfully changed, but the previous value of background remains unchanged.
If you run Terraform in debug mode, you can see that it notices this but ignores it:
2024-03-09T11:48:08.405-0500 [INFO] provider.terraform-provider-authentik_v2024.2.0: 2024/03/09 11:48:08
GET /api/v3/flows/instances/test-authentication-flow/ HTTP/1.1
Host: auth.example.com
User-Agent: [email protected]
Accept: application/json
Authorization: Bearer TOKEN
Accept-Encoding: gzip
: timestamp=2024-03-09T11:48:08.405-0500
2024-03-09T11:48:08.438-0500 [INFO] provider.terraform-provider-authentik_v2024.2.0: 2024/03/09 11:48:08
HTTP/1.1 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Date: Sat, 09 Mar 2024 16:48:08 GMT
Referrer-Policy: same-origin
Vary: Accept-Encoding
Vary: Cookie
X-Authentik-Id: LONGHASH
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Powered-By: authentik
{"pk":"HASH","policybindingmodel_ptr_id":"HASH","name":"Welcome to Test Website","slug":"test-authentication-flow","title":"Welcome to Test Website","designation":"authentication","background":"/static/dist/assets/images/flow_background.jpg","stages":["STAGE_ID_HASH","STAGE_ID_HASH","STAGE_ID_HASH"],"policies":[],"cache_count":0,"policy_engine_mode":"any","compatibility_mode":false,"export_url":"/api/v3/flows/instances/test-authentication-flow/export/","layout":"stacked","denied_action":"message_continue","authentication":"none"}: timestamp=2024-03-09T11:48:08.438-0500
2024-03-09T11:48:08.438-0500 [WARN] Provider "provider[\"registry.terraform.io/goauthentik/authentik\"]" produced an unexpected new value for authentik_flow.authentication, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .background: was cty.StringVal("https://auth.example.com/media/public/flow-backgrounds/background.png"), but now cty.StringVal("/static/dist/assets/images/flow_background.jpg")
authentik_flow.authentication: Modifications complete after 0s [id=test-authentication-flow]
As mentioned, I've also tried setting the value of background to /media/public/flow-backgrounds/background.png, which yields the same result.
The resource authentik_flow has two properties id and uuid. The data of authentik_flow only has an id property that returns the uuid of the resource instead of the id.
It would be nice to:
id property in the data to return the id instead of the uuid.uuid property.This may break existing code though
Hello there!
Is there a way to customize authentik via terraform? Like it's done in this documentation page: https://goauthentik.io/docs/interfaces/user/customization
I've manually edited the tenant's "Other global settings", but there's no way to use that setting in the authentik_provider resource, as far as I've seen.
Thanks!
The example given in for data authentik_flow always errors when used, ie
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}it returns:
│ Error: No matching flows found
│
│ with data.authentik_flow.default-authorization-flow,
│ on authentik.tf line 47, in data "authentik_flow" "default-authorization-flow":
│ 47: data "authentik_flow" "default-authorization-flow" {I can query the api by hand on my fresh instance and know its there. The openapi gui even finds it when submitting by hand. I can I can communicate with authentik fine as I can create the rest of the resources using tf.
Versions:
TF provider: 2022.6.3
Authentik instance: 2022.5.2
I am getting a diff for the following resource definition:
resource "authentik_stage_identification" "identification" {
name = "terraform-identification"
user_fields = ["username","email"]
#sources = ["authentik.core.auth.InbuiltBackend"]
password_stage = authentik_stage_password.password.id
recovery_flow = authentik_flow.recovery.uuid
case_insensitive_matching = true
}Delta by terraform apply:
# module.authentik.authentik_stage_identification.identification will be updated in-place
~ resource "authentik_stage_identification" "identification" {
id = "d335a821-9929-47a3-ad93-bc6a609a4a1c"
name = "terraform-identification"
~ sources = [
- "6118cbe1-c3b2-4b21-9d4e-9d4ef1fedca5",
]
# (6 unchanged attributes hidden)
}
We need a data provider for the Authentik built-in authentication so its UUID can be used.
Hello,
The resource "authentik_policy_password" does not implement minimum amount of digits.
Using this resource declaration, I'm removing the "webauthn" device class from a authenticator validate stage.
resource "authentik_stage_authenticator_validate" "my-authentication-mfa-validation" {
configuration_stages = [data.authentik_stage.default-authenticator-totp-setup.id, ]
device_classes = ["totp", ]
last_auth_threshold = "seconds=0"
name = "my-authentication-mfa-validation"
not_configured_action = "configure"
Terraform will perform the following actions:
# authentik_stage_authenticator_validate.my-authentication-mfa-validation will be updated in-place
~ resource "authentik_stage_authenticator_validate" "my-authentication-mfa-validation" {
~ device_classes = [
"totp",
- "webauthn",
]
id = "133294b9-4e3c-4ac6-b24e-2153b7412fca"
name = "my-authentication-mfa-validation"
# (3 unchanged attributes hidden)
}
Applying this change (and as far as I can tell, any change) to this resource crashes the plugin.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
authentik_stage_authenticator_validate.my-authentication-mfa-validation: Modifying... [id=133294b9-4e3c-4ac6-b24e-2153b7412fca]
authentik_stage_identification.my-authentication-identification: Modifying... [id=e742627a-b9a7-4331-93be-30d98328fd8f]
╷
│ Error: Plugin did not respond
│
│ with authentik_stage_identification.my-authentication-identification,
│ on stages.tf line 108, in resource "authentik_stage_identification" "my-authentication-identification":
│ 108: resource "authentik_stage_identification" "my-authentication-identification" {
│
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷
│ Error: Plugin did not respond
│
│ with authentik_stage_authenticator_validate.my-authentication-mfa-validation,
│ on stages.tf line 122, in resource "authentik_stage_authenticator_validate" "my-authentication-mfa-validation":
│ 122: resource "authentik_stage_authenticator_validate" "my-authentication-mfa-validation" {
│
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
Stack trace from the terraform-provider-authentik_v2023.5.0 plugin:
panic: interface conversion: interface {} is []interface {}, not []string
goroutine 84 [running]:
goauthentik.io/terraform-provider-authentik/internal/provider.resourceStageAuthenticatorValidateSchemaToProvider(0x0?)
goauthentik.io/terraform-provider-authentik/internal/provider/resource_stage_authenticator_validate.go:62 +0x3ec
goauthentik.io/terraform-provider-authentik/internal/provider.resourceStageAuthenticatorValidateUpdate({0x105751308, 0x140000af6e0}, 0x1400060a500, {0x105502220?, 0x1400011a260?})
goauthentik.io/terraform-provider-authentik/internal/provider/resource_stage_authenticator_validate.go:109 +0x60
goauthentik.io/terraform-provider-authentik/internal/provider.tr.func3({0x105751308, 0x140000af6e0}, 0x0?, {0x105502220, 0x1400011a260})
goauthentik.io/terraform-provider-authentik/internal/provider/tracing.go:30 +0x11c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0x1400018aa80, {0x105751340, 0x1400007f8c0}, 0xd?, {0x105502220, 0x1400011a260})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:741 +0xec
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x1400018aa80, {0x105751340, 0x1400007f8c0}, 0x140004df2b0, 0x1400060a380, {0x105502220, 0x1400011a260})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:847 +0x680
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x1400000c0f0, {0x105751340?, 0x1400007f7a0?}, 0x14000717ae0)
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1021 +0xb94
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x140004e5360, {0x105751340?, 0x14000281ec0?}, 0x140003a9260)
github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:818 +0x3c0
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1056cfa00?, 0x140004e5360}, {0x105751340, 0x14000281ec0}, 0x140003a91f0, 0x0)
github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x174
google.golang.org/grpc.(*Server).processUnaryRPC(0x14000010000, {0x1057541a0, 0x140007024e0}, 0x140004ff200, 0x1400007ee70, 0x105f88700, 0x0)
google.golang.org/[email protected]/server.go:1340 +0xb90
google.golang.org/grpc.(*Server).handleStream(0x14000010000, {0x1057541a0, 0x140007024e0}, 0x140004ff200, 0x0)
google.golang.org/[email protected]/server.go:1713 +0x840
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/[email protected]/server.go:965 +0x88
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/[email protected]/server.go:963 +0x298
Error: The terraform-provider-authentik_v2023.5.0 plugin crashed!
This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.
After making the necessary change in the web UI, Terraform is happy to leave it alone.
Hi, I'm trying to tweak the default-authentication-flow using terraform to add the password recovery functionality. To be able to do this I had to:
data "authentik_stage" "default_authentication_password" {
name = "default-authentication-password"
}
resource "authentik_stage_identification" "default_authentication" {
name = "default-authentication-identification"
user_fields = ["username", "email"]
password_stage = data.authentik_stage.default_authentication_password.id
case_insensitive_matching = true
recovery_flow = authentik_flow.password_recovery.uuid
}default-authentication-flow and edit the stage binding default-authentication-identification with the browser console open to be able to deduce from the browser requests the uuid of the stage.terraform import authentik_stage_identification.default_authentication 2e9a71c0-eb31-46fe-9572-fa7d47f23g1h (which is the uuid extracted above)default-authentication-password stage binding as it's already dealt with in the first stage.These two manual steps make it impossible to have all the configuration of the site as terraform code. Is there any way to do these two steps with terraform?
I've thought of creating a custom authentication flow, but I don't know how to tell authentik to use it instead of default-authentication-flow
Authentik allows to add a "Help text" to your prompt field.
If you export a flow containing a prompt field that contains a "Help Text", you can see this "Help Text" gets exported to the key sub_text and you can also see it in the model here and its support through authentik api here.
This field is an important one when it comes to static fields where you want to just display some text, as this sub_text is the value which gets displayed.
So it would be nice, if this value could be set through the terraform provider as well.
A data source authentic_stage would make it easier to provide an adaption of standard flows, because existing stages could be used and only the stages, which need to be changed, have to be provided.
Hi All,
I have an issue running the terraform init command. Its not taking the proxy authentication and I can't find a way to run it using the proxy authentication. even I configure powershell with my proxy setting init command keep failing.
When I do a curl command https://registry.terraform.io with proxy settings its working.
Can someone please help me how to run this "terraform init" command with proxy settings + proxy authentication?
I would like to create a new tenant with Terraform and have that one be the default one instead of authentik-default without having to manually mark it as the non-default (or having to terraform import it). Right now if I try to do it, I get an error saying that only one tenant can be the default, and Terraform refuses to create the resource.
Would it be possible to either make the behavior of default = true such that if only authentik-default exists the provider makes the new one the default OR to have an explicit force_default field that will trigger this behavior?
I know that the behavior can get a little more complicated when having more than one non-default tenants and I'm not sure how that could be handled. Maybe just documenting that you can only use default = true (or force_default = true) on one authentik_tenant instance, and/or use ignore_changes on all the other ones?
Hello! First I want to congratulate for the amazing authentik!! It's fabulous!
I need some help...I can create an application and domain proxy provider, and I want to attach the application to default outpost "authentik Embedded Outpost"...and I don't find with which terraform resource I can attach the application to the outpost.
Any Help? Thanks!
terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
}
}
}
provider "authentik" {
url = "https://sso.apps.core.example.com"
token = "mysupersecrettoken"
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
resource "authentik_provider_proxy" "proxy_domain_forward_auth" {
name = "Domain Forward Auth Provider"
external_host = "https://sso.apps.core.example.com/"
mode = "forward_domain"
cookie_domain = "example.com"
access_token_validity = "hours=24"
authorization_flow = data.authentik_flow.default-authorization-flow.id
}
resource "authentik_application" "application_domain_forward_auth" {
name = "Domain Forward Auth Application"
slug = "domain-forward-auth-application"
protocol_provider = authentik_provider_proxy.proxy_domain_forward_auth.id
}
Problem definition
I am following this guide: https://goauthentik.io/integrations/sources/general#add-sources-to-default-login-page in order to add a social login to my Authentik installation.
I am unable to change the "default-authentication-flow" through the Terraform provider in order to add the social login to the default login screen.
What would I expect
A change to the "authentik_flow_stage_binding" resource that would allow for me to add the new sources as an option.
When I run my existing state with authentik terraform definitions against a fresh setup it does not detect that remote states are lost. Instead, it throws some errors.
Workaround: need to delete state manual before terraform plan/apply.
Expected: missing remote resources should be restored/re-created.
The authentik_service_connection_kubernetes resource is missing the verify local certificate option.
If you want to setup an authenticator validation stage which forces a user to configure an authenticator if none is present, you have to define configuration stages.
If you do so, the plugin crashes. Here is a minimal example to reproduce:
# Declare provider
terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2023.5.0"
}
}
}
# Declare Variables
variable "authentik_url" { default = "http://localhost:9000/" }
variable "authentik_token" {}
# Setup provider
provider "authentik" {
url = var.authentik_url
token = var.authentik_token
}
# Create TOTP setup stage
resource "authentik_stage_authenticator_totp" "demo_totp_setup" {
name = "demo-totp-setup"
}
# Create the validation stage
resource "authentik_stage_authenticator_validate" "demo_mfa_validate" {
name = "demo-mfa-validate"
device_classes = ["totp"]
not_configured_action = "configure"
configuration_stages = [authentik_stage_authenticator_totp.demo_totp_setup.id ]
}In this example I just use one configuration stage to keep it simple. The error occurs for all configurable authenticator setup stages (static, webauthn, totp, ...) and for any combination of them.
The error produced is as follows:
╷
│ Error: Plugin did not respond
│
│ with authentik_stage_authenticator_validate.demo_mfa_validate,
│ on main.tf line 27, in resource "authentik_stage_authenticator_validate" "demo_mfa_validate":
│ 27: resource "authentik_stage_authenticator_validate" "demo_mfa_validate" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
Stack trace from the terraform-provider-authentik_v2023.5.0 plugin:
panic: interface conversion: interface {} is []interface {}, not []string
goroutine 56 [running]:
goauthentik.io/terraform-provider-authentik/internal/provider.resourceStageAuthenticatorValidateSchemaToProvider(0x0?)
goauthentik.io/terraform-provider-authentik/internal/provider/resource_stage_authenticator_validate.go:62 +0x405
goauthentik.io/terraform-provider-authentik/internal/provider.resourceStageAuthenticatorValidateCreate({0x152f768, 0xc000480780}, 0x13907a4?, {0x1136280?, 0xc00000e968?})
goauthentik.io/terraform-provider-authentik/internal/provider/resource_stage_authenticator_validate.go:76 +0x6a
goauthentik.io/terraform-provider-authentik/internal/provider.tr.func1({0x152f768, 0xc000480780}, 0x0?, {0x1136280, 0xc00000e968})
goauthentik.io/terraform-provider-authentik/internal/provider/tracing.go:18 +0x177
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0xc0001c0b60, {0x152f7a0, 0xc000175590}, 0xd?, {0x1136280, 0xc00000e968})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:707 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc0001c0b60, {0x152f7a0, 0xc000175590}, 0xc0003631e0, 0xc0005c2e00, {0x1136280, 0xc00000e968})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:837 +0xa7a
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc000311368, {0x152f7a0?, 0xc000175470?}, 0xc0005ae550)
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1021 +0xe3c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc000543680, {0x152f7a0?, 0xc000174ae0?}, 0xc000210230)
github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:818 +0x574
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1302be0?, 0xc000543680}, {0x152f7a0, 0xc000174ae0}, 0xc000210000, 0x0)
github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x1532660, 0xc0007029c0}, 0xc0005f4900, 0xc00025af30, 0x1d8b720, 0x0)
google.golang.org/[email protected]/server.go:1340 +0xd13
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x1532660, 0xc0007029c0}, 0xc0005f4900, 0x0)
google.golang.org/[email protected]/server.go:1713 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/[email protected]/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/[email protected]/server.go:963 +0x28a
Error: The terraform-provider-authentik_v2023.5.0 plugin crashed!
Thanks for this Terraform provider and Authentik in general!
As I move my config to Terraform I noticed that is not possible to specify the token_validity in authentik_provider_proxy as it is possible with the UI/API.
consider the following resource
resource "authentik_stage_prompt_field" "username" {
field_key = "username"
required = true
type = "text"
label = "Username"
placeholder = <<EOT
try:
return user.username
except:
return ''
EOT
# placeholder = "try:\n return user.username\nexcept:\n return ''"
placeholder_expression = true
order = 200
}This will always show a change
Terraform will perform the following actions:
# authentik_stage_prompt_field.username will be updated in-place
~ resource "authentik_stage_prompt_field" "username" {
id = "999be44a-97b5-4ae0-a87c-32207bb1dd60"
~ placeholder = <<-EOT
try:
return user.username
except:
return ''
EOT
# (6 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
When converting it to inline (eg replacing the whitespace with escape characters) it will work properly.
Provider version: 2021.10.3
Terraform version: v1.0.11
System: Linux Mint 20.02
Kernel: 5.4.0-91-generic x86_64
Error message:
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: PANIC: runtime error: invalid memory address or nil pointer dereference
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: [signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x10c57b7]
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3:
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goroutine 93 [running]:
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goauthentik.io/terraform-provider-authentik/internal/provider.httpToDiag(0x0, 0x14b0800, 0xc00027ca80, 0xc000544368, 0xc000036d20, 0x24)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goauthentik.io/terraform-provider-authentik/internal/provider/utils.go:94 +0x37
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goauthentik.io/terraform-provider-authentik/internal/provider.resourceLDAPPropertyMappingRead(0x14c08c8, 0xc0001e5380, 0xc0000d3300, 0x11400e0, 0xc0000a0128, 0xc0001fc6d0, 0xc0003c3908, 0x40e0f8)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goauthentik.io/terraform-provider-authentik/internal/provider/resource_property_mapping_ldap.go:67 +0x231
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc0002bae00, 0x14c0858, 0xc0001b3c40, 0xc0000d3300, 0x11400e0, 0xc0000a0128, 0x0, 0x0, 0x0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:347 +0x17f
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc0002bae00, 0x14c0858, 0xc0001b3c40, 0xc0001e71e0, 0x11400e0, 0xc0000a0128, 0xc0000a1370, 0x0, 0x0, 0x0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:624 +0x1cb
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc0000c82e8, 0x14c0858, 0xc0001b3c40, 0xc0001b3c80, 0xc0001b3c40, 0x40b965, 0x12a4da0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:576 +0x47d
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadResource(0xc0005948c0, 0x14c0900, 0xc0001b3c40, 0xc0001e4ea0, 0xc0005948c0, 0xc0001f7410, 0xc0001cfba0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:298 +0x105
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler(0x12f12c0, 0xc0005948c0, 0x14c0900, 0xc0001f7410, 0xc0001e4e40, 0x0, 0x14c0900, 0xc0001f7410, 0xc0001a2380, 0xe0)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:344 +0x214
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/grpc.(*Server).processUnaryRPC(0xc00023cc40, 0x14c8af8, 0xc000083e00, 0xc000143e00, 0xc000457290, 0x1bf4630, 0x0, 0x0, 0x0)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/[email protected]/server.go:1194 +0x52b
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/grpc.(*Server).handleStream(0xc00023cc40, 0x14c8af8, 0xc000083e00, 0xc000143e00, 0x0)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/[email protected]/server.go:1517 +0xd0c
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000038410, 0xc00023cc40, 0x14c8af8, 0xc000083e00, 0xc000143e00)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/[email protected]/server.go:859 +0xab
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: created by google.golang.org/grpc.(*Server).serveStreams.func1
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/[email protected]/server.go:857 +0x1fd
2021-11-29T12:32:52.646+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-11-29T12:32:52.646+0100 [ERROR] plugin.(*GRPCProvider).ReadResource: error="rpc error: code = Unavailable desc = transport is closing"
I started a crossplane provider for authentik based on terrajet and this terraform provider.
Is there any interest to use this and/or share it here in the future?
provider-jet-authentik
Hey there!
It would be nice to be able to pass in a background string so I can auto config a branding background into all my flows.
As seen here:
https://goauthentik.io/api/#put-/flows/instances/-slug-/
Basically, the title says it all: the argument token_length in resource authentik_stage_authenticator_static has no effect.
E.g. the following configuration...
resource "authentik_stage_authenticator_static" "mfa_static_setup" {
name = "🔑 Create Recovery Codes"
friendly_name = "🔑 Recovery Codes"
configure_flow = authentik_flow.mfa_static_setup.uuid
token_count = 6
token_length = 8
}...results in following plan...
# authentik_stage_authenticator_static.mfa_static_setup will be updated in-place
~ resource "authentik_stage_authenticator_static" "mfa_static_setup" {
id = "5e69382a-ccd7-4f42-91ed-ce49d76c7e5b"
name = "🔑 Create Recovery Codes"
~ token_length = 0 -> 8
# (3 unchanged attributes hidden)
}...but the token length will not be updated and if you rerun, it will again try to update token_length in-place...
~ token_length = 0 -> 8additional_scopes cannot be set on authentik_provider_proxy resource
When creating a Terraform resource authentik_provider_proxy with a property_mappings array, the state of the resource on the server becomes inconsistent with respect to the state in the configuration.
resource "authentik_scope_mapping" "my_mapping" {
name = "my_mapping"
scope_name = "my_mapping"
expression = [...]
}
resource "authentik_provider_proxy" "provider_proxy" {
name = "example"
mode = "forward_single"
external_host = "https://my.example.com"
property_mappings = [authentik_scope_mapping.my_mapping.id]
}
terraform apply.Each time terraform apply is executed, Terraform attempts to modify the resource to remove some property_mappings:
~ resource "authentik_provider_proxy" "provider_proxy" {
~ property_mappings = [
"my_mapping_id",
- "managed_mapping_id_1",
- "managed_mapping_id_2",
- "managed_mapping_id_3",
- "managed_mapping_id_4",
]
}
The resource should maintain consistency between the configuration and the server state. Terraform should not attempt to remove "managed_mapping_id_1", "managed_mapping_id_2", "managed_mapping_id_3", and "managed_mapping_id_4", as these are considered "managed mappings" and should not be altered by Terraform during plan execution.
Hi ,
would be great to have a data "authentik_prompt_fields"
at i don't know how to get UUID of existing prompt field
another suggestion would be great to modify existing stage with terraform, instead of creating quasi same stage , with only one difference.
john
Referencing https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/resources/policy_binding:
Taking the example published, in order to cerate a policy binding on an app the code should be:
data "authentik_group" "admins" {
name = "authentik Admins"
}
resource "authentik_application" "name" {
name = "test app"
slug = "test-app"
}
resource "authentik_policy_binding" "app-access" {
target = authentik_application.name.id
group = data.authentik_group.admins.id
order = 0
}
But when applying terraform rejects with
Error: HTTP Error '400 Bad Request' during request 'POST /api/v3/policies/bindings/': "{"target":["“test-app” is not a valid UUID."]}"
│
│ with authentik_policy_binding.app-access,
│ on authentik.tf line 92, in resource "authentik_policy_binding" "app-access":
│ 92: resource "authentik_policy_binding" "app-access" {
Further investigation into the api specifications and tfstate will show the correct snippet should be
data "authentik_group" "admins" {
name = "authentik Admins"
}
resource "authentik_application" "name" {
name = "test app"
slug = "test-app"
}
resource "authentik_policy_binding" "app-access" {
target = authentik_application.name.uuid //<--- HERE
group = data.authentik_group.admins.id
order = 0
}
authentik_provider_oauth2 resources started showing a change in token_validity when doing terraform plan although it looks as it doesn't actually change the property:
~ resource "authentik_provider_oauth2" "gitea" {
access_code_validity = "minutes=1"
...
+ token_validity = "minutes=10"
}
If you apply the change, when you reapply the diff is shown again. Furthermore, I've manually set the Refresh Token validity to minutes=11 and it looks like terraform is not aware of the configuration either.
I'm using the 2023.2.0 version of the provider.
Until the issue is fixed you can add the next configuration to your resources:
lifecycle {
ignore_changes = [
token_validity,
]
}
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.