From 16d9fd8bde0fe8d5fc11a79f8f34f577b11b4a9b Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 18 Apr 2026 22:48:26 +0000
Subject: [PATCH] [infra] Adopt Authentik catch-all Proxy Provider +
 Application into TF (Wave 6a)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Context

Wave 6a of the state-drift consolidation plan. The Domain wide catch all
Proxy Provider (pk=5) + its wrapping Application (slug=domain-wide-catch-all)
+ the embedded outpost (uuid 0eecac07-97c7-443c-8925-05f2f4fe3e47) have
run for a year as pure UI-created state. When the 2026-04-18 outpost SEV2
hit, it was harder to reason about the config than it should have been —
the only source of truth was the Authentik admin UI. Bringing the provider
+ application under Terraform means future changes are reviewable in PRs
and recoverable from git if the admin UI misbehaves.

## This change

Adds the `goauthentik/authentik` provider to the repo's central
`terragrunt.hcl` `required_providers` (side-effect: every stack can now
declare authentik resources; this stack is the only current consumer).
Stack-local `stacks/authentik/authentik_provider.tf` holds the provider
instance configuration + API token wiring + two resources + their flow
data-source lookups.

### Auth
- API token stored in Vault at `secret/authentik/tf_api_token`, identifier
  `terraform-infra-stack`, intent=API, user=akadmin, no expiry. Rotatable
  by rewriting the Vault KV + any running TF apply picks it up on next
  plan.

### Imports (both landed zero-diff)
- `authentik_application.catchall` ← id `domain-wide-catch-all`
- `authentik_provider_proxy.catchall` ← id `5`

### Flow references
Authorization + invalidation flows are looked up via `data
"authentik_flow"` by slug (`default-provider-authorization-implicit-consent`
+ `default-provider-invalidation-flow`). Keeping them as data sources
rather than hardcoded UUIDs means a flow recreation (slug unchanged)
doesn't require an HCL edit.

### `lifecycle { ignore_changes }` scope
On `authentik_provider_proxy.catchall`:
- `property_mappings` (5 UUIDs), `jwt_federation_sources` (1 UUID) — the
  live state references complex many-to-many relations that are easier
  to manage from the Authentik UI than to serialise in HCL. Drift
  suppressed.
- `skip_path_regex`, `internal_host`, all `basic_auth_*`,
  `intercept_header_auth`, `access_token_validity` — either defaults or
  UI-only tuning knobs that aren't part of Terraform's concern for this
  catch-all provider.

On `authentik_application.catchall`:
- `meta_description`, `meta_launch_url`, `meta_icon`, `group`,
  `backchannel_providers`, `policy_engine_mode`, `open_in_new_tab` —
  cosmetic/non-functional attributes; the Authentik UI is the right
  place to edit these and drift on them isn't interesting.

## What is NOT in this change

- Outpost-binding resource — the embedded outpost's provider list is a
  single-row many-to-many that the Authentik UI manages cleanly; adding
  TF there would fight the UI without reducing drift.
- Property mappings and JWT federation source — managed via UI, drift
  suppressed. A future wave can bring them in when someone actually
  wants to edit them through code review.
- Other Authentik entities (Flows, Stages, Groups, RBAC policies) —
  same rationale: UI is the natural editing surface. Adopt incrementally
  as they become interesting to code-review.

## Verification

```
$ cd stacks/authentik && ../../scripts/tg plan | grep Plan:
Plan: 0 to add, 1 to change, 0 to destroy.
  # module.authentik.kubernetes_deployment.pgbouncer — pre-existing drift,
  # unrelated to this commit (image_pull_policy Always -> IfNotPresent)

$ ../../scripts/tg state list | grep authentik_
authentik_application.catchall
authentik_provider_proxy.catchall
data.authentik_flow.default_authorization_implicit_consent
data.authentik_flow.default_provider_invalidation
```

## Reproduce locally
1. `git pull && cd stacks/authentik && ../../scripts/tg init`
2. Terraform pulls goauthentik/authentik provider (first time).
3. `tg plan` — expect only pgbouncer drift; authentik resources read-only.

Refs: Wave 6a of the state-drift consolidation (code-hl1)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 stacks/authentik/authentik_provider.tf | 59 ++++++++++++++++++++++++++
 terragrunt.hcl                         |  4 ++
 2 files changed, 63 insertions(+)
 create mode 100644 stacks/authentik/authentik_provider.tf

diff --git a/stacks/authentik/authentik_provider.tf b/stacks/authentik/authentik_provider.tf
new file mode 100644
index 00000000..e9db3985
--- /dev/null
+++ b/stacks/authentik/authentik_provider.tf
@@ -0,0 +1,59 @@
+# goauthentik/authentik Terraform provider.
+#
+# Adopted 2026-04-18 (Wave 6a of the state-drift consolidation plan) to bring
+# the catch-all Proxy Provider — previously managed only via the Authentik UI
+# — under Terraform management. API token lives in Vault
+# `secret/authentik/tf_api_token` (token identifier `terraform-infra-stack`,
+# intent API, user akadmin, no expiry). Required-providers declaration sits
+# in the central terragrunt.hcl so every stack has it available; only this
+# stack configures a provider block.
+
+data "vault_kv_secret_v2" "authentik_tf" {
+  mount = "secret"
+  name  = "authentik"
+}
+
+provider "authentik" {
+  url   = "https://authentik.viktorbarzin.me"
+  token = data.vault_kv_secret_v2.authentik_tf.data["tf_api_token"]
+}
+
+data "authentik_flow" "default_authorization_implicit_consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_flow" "default_provider_invalidation" {
+  slug = "default-provider-invalidation-flow"
+}
+
+# -----------------------------------------------------------------------------
+# Catch-all Proxy Provider + Application.
+#
+# Created via the Authentik UI ~a year ago; adopted into Terraform 2026-04-18
+# (Wave 6a). The proxy provider is consumed by the embedded outpost
+# (uuid 0eecac07-97c7-443c-8925-05f2f4fe3e47) via an outpost-level binding
+# that stays in the UI — it's a single toggle with no drift risk.
+# -----------------------------------------------------------------------------
+
+resource "authentik_application" "catchall" {
+  name              = "Domain wide catch all"
+  slug              = "domain-wide-catch-all"
+  protocol_provider = authentik_provider_proxy.catchall.id
+  lifecycle {
+    ignore_changes = [meta_description, meta_launch_url, meta_icon, group, backchannel_providers, policy_engine_mode, open_in_new_tab]
+  }
+}
+
+resource "authentik_provider_proxy" "catchall" {
+  name          = "Provider for Domain wide catch all"
+  mode          = "forward_domain"
+  external_host = "https://authentik.viktorbarzin.me"
+  cookie_domain = "viktorbarzin.me"
+  # Flow UUIDs resolved dynamically so a flow re-creation (keeping the slug)
+  # doesn't require an HCL edit.
+  authorization_flow = data.authentik_flow.default_authorization_implicit_consent.id
+  invalidation_flow  = data.authentik_flow.default_provider_invalidation.id
+  lifecycle {
+    ignore_changes = [property_mappings, jwt_federation_sources, skip_path_regex, internal_host, basic_auth_enabled, basic_auth_password_attribute, basic_auth_username_attribute, intercept_header_auth, access_token_validity]
+  }
+}
diff --git a/terragrunt.hcl b/terragrunt.hcl
index d11f8b93..0376f6ed 100644
--- a/terragrunt.hcl
+++ b/terragrunt.hcl
@@ -62,6 +62,10 @@ terraform {
       source  = "cloudflare/cloudflare"
       version = "~> 4"
     }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "~> 2024.10"
+    }
   }
 }