infra/stacks/authentik/authentik_provider.tf

# goauthentik/authentik Terraform provider.
#
# Adopted 2026-04-18 (Wave 6a of the state-drift consolidation plan) to bring
# the catch-all Proxy Provider — previously managed only via the Authentik UI
# — under Terraform management. API token lives in Vault
# `secret/authentik/tf_api_token` (token identifier `terraform-infra-stack`,
# intent API, user akadmin, no expiry). Required-providers declaration sits
# in the central terragrunt.hcl so every stack has it available; only this
# stack configures a provider block.

data "vault_kv_secret_v2" "authentik_tf" {
  mount = "secret"
  name  = "authentik"
}

provider "authentik" {
  url   = "https://authentik.viktorbarzin.me"
  token = data.vault_kv_secret_v2.authentik_tf.data["tf_api_token"]
}

data "authentik_flow" "default_authorization_implicit_consent" {
  slug = "default-provider-authorization-implicit-consent"
}

data "authentik_flow" "default_provider_invalidation" {
  slug = "default-provider-invalidation-flow"
}

# -----------------------------------------------------------------------------
# Catch-all Proxy Provider + Application.
#
# Created via the Authentik UI ~a year ago; adopted into Terraform 2026-04-18
# (Wave 6a). The proxy provider is consumed by the embedded outpost
# (uuid 0eecac07-97c7-443c-8925-05f2f4fe3e47) via an outpost-level binding
# that stays in the UI — it's a single toggle with no drift risk.
# -----------------------------------------------------------------------------

resource "authentik_application" "catchall" {
  name              = "Domain wide catch all"
  slug              = "domain-wide-catch-all"
  protocol_provider = authentik_provider_proxy.catchall.id
  lifecycle {
    ignore_changes = [meta_description, meta_launch_url, meta_icon, group, backchannel_providers, policy_engine_mode, open_in_new_tab]
  }
}

resource "authentik_provider_proxy" "catchall" {
  name          = "Provider for Domain wide catch all"
  mode          = "forward_domain"
  external_host = "https://authentik.viktorbarzin.me"
  cookie_domain = "viktorbarzin.me"
  # Flow UUIDs resolved dynamically so a flow re-creation (keeping the slug)
  # doesn't require an HCL edit.
  authorization_flow = data.authentik_flow.default_authorization_implicit_consent.id
  invalidation_flow  = data.authentik_flow.default_provider_invalidation.id
  lifecycle {
    ignore_changes = [property_mappings, jwt_federation_sources, skip_path_regex, internal_host, basic_auth_enabled, basic_auth_password_attribute, basic_auth_username_attribute, intercept_header_auth, access_token_validity]
  }
}
[infra] Adopt Authentik catch-all Proxy Provider + Application into TF (Wave 6a) ## Context Wave 6a of the state-drift consolidation plan. The Domain wide catch all Proxy Provider (pk=5) + its wrapping Application (slug=domain-wide-catch-all) + the embedded outpost (uuid 0eecac07-97c7-443c-8925-05f2f4fe3e47) have run for a year as pure UI-created state. When the 2026-04-18 outpost SEV2 hit, it was harder to reason about the config than it should have been — the only source of truth was the Authentik admin UI. Bringing the provider + application under Terraform means future changes are reviewable in PRs and recoverable from git if the admin UI misbehaves. ## This change Adds the `goauthentik/authentik` provider to the repo's central `terragrunt.hcl` `required_providers` (side-effect: every stack can now declare authentik resources; this stack is the only current consumer). Stack-local `stacks/authentik/authentik_provider.tf` holds the provider instance configuration + API token wiring + two resources + their flow data-source lookups. ### Auth - API token stored in Vault at `secret/authentik/tf_api_token`, identifier `terraform-infra-stack`, intent=API, user=akadmin, no expiry. Rotatable by rewriting the Vault KV + any running TF apply picks it up on next plan. ### Imports (both landed zero-diff) - `authentik_application.catchall` ← id `domain-wide-catch-all` - `authentik_provider_proxy.catchall` ← id `5` ### Flow references Authorization + invalidation flows are looked up via `data "authentik_flow"` by slug (`default-provider-authorization-implicit-consent` + `default-provider-invalidation-flow`). Keeping them as data sources rather than hardcoded UUIDs means a flow recreation (slug unchanged) doesn't require an HCL edit. ### `lifecycle { ignore_changes }` scope On `authentik_provider_proxy.catchall`: - `property_mappings` (5 UUIDs), `jwt_federation_sources` (1 UUID) — the live state references complex many-to-many relations that are easier to manage from the Authentik UI than to serialise in HCL. Drift suppressed. - `skip_path_regex`, `internal_host`, all `basic_auth_*`, `intercept_header_auth`, `access_token_validity` — either defaults or UI-only tuning knobs that aren't part of Terraform's concern for this catch-all provider. On `authentik_application.catchall`: - `meta_description`, `meta_launch_url`, `meta_icon`, `group`, `backchannel_providers`, `policy_engine_mode`, `open_in_new_tab` — cosmetic/non-functional attributes; the Authentik UI is the right place to edit these and drift on them isn't interesting. ## What is NOT in this change - Outpost-binding resource — the embedded outpost's provider list is a single-row many-to-many that the Authentik UI manages cleanly; adding TF there would fight the UI without reducing drift. - Property mappings and JWT federation source — managed via UI, drift suppressed. A future wave can bring them in when someone actually wants to edit them through code review. - Other Authentik entities (Flows, Stages, Groups, RBAC policies) — same rationale: UI is the natural editing surface. Adopt incrementally as they become interesting to code-review. ## Verification ``` $ cd stacks/authentik && ../../scripts/tg plan \| grep Plan: Plan: 0 to add, 1 to change, 0 to destroy. # module.authentik.kubernetes_deployment.pgbouncer — pre-existing drift, # unrelated to this commit (image_pull_policy Always -> IfNotPresent) $ ../../scripts/tg state list \| grep authentik_ authentik_application.catchall authentik_provider_proxy.catchall data.authentik_flow.default_authorization_implicit_consent data.authentik_flow.default_provider_invalidation ``` ## Reproduce locally 1. `git pull && cd stacks/authentik && ../../scripts/tg init` 2. Terraform pulls goauthentik/authentik provider (first time). 3. `tg plan` — expect only pgbouncer drift; authentik resources read-only. Refs: Wave 6a of the state-drift consolidation (code-hl1) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-18 22:48:26 +00:00			`# goauthentik/authentik Terraform provider.`
			`#`
			`# Adopted 2026-04-18 (Wave 6a of the state-drift consolidation plan) to bring`
			`# the catch-all Proxy Provider — previously managed only via the Authentik UI`
			`# — under Terraform management. API token lives in Vault`
			# `secret/authentik/tf_api_token` (token identifier `terraform-infra-stack`,
			`# intent API, user akadmin, no expiry). Required-providers declaration sits`
			`# in the central terragrunt.hcl so every stack has it available; only this`
			`# stack configures a provider block.`

			`data "vault_kv_secret_v2" "authentik_tf" {`
			`mount = "secret"`
			`name = "authentik"`
			`}`

			`provider "authentik" {`
			`url = "https://authentik.viktorbarzin.me"`
			`token = data.vault_kv_secret_v2.authentik_tf.data["tf_api_token"]`
			`}`

			`data "authentik_flow" "default_authorization_implicit_consent" {`
			`slug = "default-provider-authorization-implicit-consent"`
			`}`

			`data "authentik_flow" "default_provider_invalidation" {`
			`slug = "default-provider-invalidation-flow"`
			`}`

			`# -----------------------------------------------------------------------------`
			`# Catch-all Proxy Provider + Application.`
			`#`
			`# Created via the Authentik UI ~a year ago; adopted into Terraform 2026-04-18`
			`# (Wave 6a). The proxy provider is consumed by the embedded outpost`
			`# (uuid 0eecac07-97c7-443c-8925-05f2f4fe3e47) via an outpost-level binding`
			`# that stays in the UI — it's a single toggle with no drift risk.`
			`# -----------------------------------------------------------------------------`

			`resource "authentik_application" "catchall" {`
			`name = "Domain wide catch all"`
			`slug = "domain-wide-catch-all"`
			`protocol_provider = authentik_provider_proxy.catchall.id`
			`lifecycle {`
			`ignore_changes = [meta_description, meta_launch_url, meta_icon, group, backchannel_providers, policy_engine_mode, open_in_new_tab]`
			`}`
			`}`

			`resource "authentik_provider_proxy" "catchall" {`
			`name = "Provider for Domain wide catch all"`
			`mode = "forward_domain"`
			`external_host = "https://authentik.viktorbarzin.me"`
			`cookie_domain = "viktorbarzin.me"`
			`# Flow UUIDs resolved dynamically so a flow re-creation (keeping the slug)`
			`# doesn't require an HCL edit.`
			`authorization_flow = data.authentik_flow.default_authorization_implicit_consent.id`
			`invalidation_flow = data.authentik_flow.default_provider_invalidation.id`
			`lifecycle {`
			`ignore_changes = [property_mappings, jwt_federation_sources, skip_path_regex, internal_host, basic_auth_enabled, basic_auth_password_attribute, basic_auth_username_attribute, intercept_header_auth, access_token_validity]`
			`}`
			`}`