infra/stacks/authentik/tripit-email-blueprint.tf

# Delivers the TripIt enrollment/recovery email-verification stages + their flow
# bindings (tripit-email-stages.yaml) as a server-applied Authentik blueprint.
#
# Why a blueprint and not authentik_stage_email resources: the globally-pinned
# provider (goauthentik 2024.x in terragrunt.hcl) models EmailStage.token_expiry
# as an integer, but the live server (2026.2.x) requires a duration string and
# 400s any number. The blueprint is parsed by the server, which accepts the
# string. Bumping the provider would mean a global terragrunt.hcl change that
# re-applies every platform stack — disproportionate. See tripit-flows.tf.
#
# depends_on the flows so they exist before Authentik resolves the blueprint's
# !Find [..., slug, tripit-enrollment|tripit-recovery] references.
resource "authentik_blueprint" "tripit_email_stages" {
  name    = "tripit-email-stages"
  content = file("${path.module}/tripit-email-stages.yaml")
  enabled = true

  depends_on = [
    authentik_flow.tripit_enrollment,
    authentik_flow.tripit_recovery,
  ]
}
fix(authentik): deliver tripit email-verify stages via blueprint (provider token_expiry too old) Pipeline 214 failed: the pinned goauthentik 2024.x provider models EmailStage.token_expiry as an integer, but the live 2026.2.x server requires a duration string ('hours=24') and 400s any number (even the provider default 30). Bumping the provider is a global terragrunt.hcl change re-applying every platform stack + breaking 3 other authentik-using stacks' lockfiles — disproportionate. Instead the two email-verification stages + their flow bindings move into an Authentik blueprint (tripit-email-stages.yaml) applied server-side via authentik_blueprint; the server parses token_expiry natively. Validated on the live server + terraform validate. Restores the ADR-0020 email-verification security gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-17 07:30:05 +00:00			`# Delivers the TripIt enrollment/recovery email-verification stages + their flow`
			`# bindings (tripit-email-stages.yaml) as a server-applied Authentik blueprint.`
			`#`
			`# Why a blueprint and not authentik_stage_email resources: the globally-pinned`
			`# provider (goauthentik 2024.x in terragrunt.hcl) models EmailStage.token_expiry`
			`# as an integer, but the live server (2026.2.x) requires a duration string and`
			`# 400s any number. The blueprint is parsed by the server, which accepts the`
			`# string. Bumping the provider would mean a global terragrunt.hcl change that`
			`# re-applies every platform stack — disproportionate. See tripit-flows.tf.`
			`#`
			`# depends_on the flows so they exist before Authentik resolves the blueprint's`
			`# !Find [..., slug, tripit-enrollment\|tripit-recovery] references.`
			`resource "authentik_blueprint" "tripit_email_stages" {`
			`name = "tripit-email-stages"`
			`content = file("${path.module}/tripit-email-stages.yaml")`
			`enabled = true`

			`depends_on = [`
			`authentik_flow.tripit_enrollment,`
			`authentik_flow.tripit_recovery,`
			`]`
			`}`