fix(authentik): pin Vault binding UUIDs as literals (provider has no authentik_application data source)

CI pipeline 198 failed: the pinned goauthentik/authentik provider has no data "authentik_application" source, so terraform failed the whole authentik plan and applied NOTHING (state unchanged). Replace the data-source lookups with the live pbm_uuid (Vault app) and group_uuid (Allow Login Users) as literals; authentik_policy_binding is supported (used in guest.tf).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/authentik/vault-authz-binding.tf

@@ -13,16 +13,15 @@
 # The Vault application itself stays UI-managed (like the other OIDC apps); this
 # adds ONLY the authorization binding. policy_engine_mode on the app is "any", so
 # one group binding == membership in that group is required to authorize.
-data "authentik_application" "vault" {
+#
-  slug = "vault"
+# UUIDs are PINNED as literals: this provider version has NO
-}
+# `data "authentik_application"` data source (CI pipeline 198 failed on it), and
-
+# both objects are UI-managed and stable. To re-fetch if either is recreated, run
-data "authentik_group" "allow_login_users" {
+# `ak shell` in the goauthentik-server pod and read
-  name = "Allow Login Users"
+# `Application.objects.get(name="Vault").pbm_uuid` and
-}
+# `Group.objects.get(name="Allow Login Users").group_uuid`.
-
 resource "authentik_policy_binding" "vault_allow_login_users" {
-  target = data.authentik_application.vault.uuid
+  target = "fe5698e3-b6b1-4475-98fa-ce2bae22f4dd" # Authentik application "Vault" (pbm_uuid)
-  group  = data.authentik_group.allow_login_users.id
+  group  = "b4823cd7-8ed8-4d2f-8f94-bc285138f853" # group "Allow Login Users" (group_uuid)
   order  = 0
 }