When I run my existing state with authentik terraform definitions against a fresh setup it does not detect that remote states are lost. Instead, it throws some errors.

Workaround: need to delete state manual before terraform plan/apply.

Expected: missing remote resources should be restored/re-created.

Hi @BeryJu, thanks for everything you've done so far! While configuring the provider, I had to look into the code to check if I could pass environment variables to it. This PR intends to add some documentation, as well as facilitate the generation of the documentation.

• Add documentation for configuring provider with environment variables
• By introducing tools/tools.go, we manage the dependency on terraform-plugins-docs in the go.mod. By that, we can make sure that we don't end up in a situation where two contributers have different versions of terraform-plugins-docs and therefore generate different documentation
• I ran go mod tidy and removed two (unneeded?) dependencies
• Running go generate will lead to slightly different formatting of the files in docs. I didn't include them in the PR, as I don't want to spam the PR with 50+ formatting changes.

I'm looking forward to your thoughts on this :)

Description

The fields in authentik_outpost.config are not all recognised/applied. Fields:

• kubernetes_ingress_secret_name
• object_naming_template

these 2 are always using the system default values. Others seem to work fine (not tested all). Changing these values in the authentik admin ui works as intended.

Example:

terraform {
  required_providers {
    authentik = {
      source  = "goauthentik/authentik"
      version = "2022.1.1"
    }
  }
}

data "authentik_flow" "default_provider_authorization_explicit_consent" {
  slug = "default-provider-authorization-explicit-consent"
}

resource "authentik_provider_proxy" "test" {
  name               = "test"
  internal_host      = "http://test.default.svc.cluster.local"
  external_host      = "https://test.domain.io"
  authorization_flow = data.authentik_flow.default_provider_authorization_explicit_consent.id
}

resource "authentik_service_connection_kubernetes" "local" {
  name  = "Local Kubernetes Cluster"
  local = true
}

resource "authentik_outpost" "test" {
  name               = "test"
  service_connection = authentik_service_connection_kubernetes.local.id
  protocol_providers = [
    authentik_provider_proxy.test.id
  ]
  type = "proxy"
  config = jsonencode(
    {
      authentik_host                 = "https://authentik.domain.io"
      authentik_host_browser         = ""
      authentik_host_insecure        = false
      container_image                = null
      docker_labels                  = null
      docker_map_ports               = true
      docker_network                 = null
      kubernetes_disabled_components = []
      kubernetes_image_pull_secrets  = []
      kubernetes_ingress_annotations = {
        "cert-manager.io/cluster-issuer"                   = "letsencrypt-production"
        "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
      }
      kubernetes_ingress_secret_name = "authentik-outpost-test-cert"
      kubernetes_namespace           = "authentik-system"
      kubernetes_replicas            = 1
      kubernetes_service_type        = "ClusterIP"
      log_level                      = "debug"
      object_naming_template         = "ak-outpost-%(name)s"
    }
  )
}

Expected Behaviour

Config fields should accept all values.

Workaround

Prevent creation of ingress and create ingress with terraform :/

The example given in for data authentik_flow always errors when used, ie

data "authentik_flow" "default-authorization-flow" {
  slug = "default-provider-authorization-implicit-consent"
}

it returns:

│ Error: No matching flows found
│ 
│   with data.authentik_flow.default-authorization-flow,
│   on authentik.tf line 47, in data "authentik_flow" "default-authorization-flow":
│   47: data "authentik_flow" "default-authorization-flow" {

I can query the api by hand on my fresh instance and know its there. The openapi gui even finds it when submitting by hand. I can I can communicate with authentik fine as I can create the rest of the resources using tf.

Versions: TF provider: 2022.6.3 Authentik instance: 2022.5.2

Provider version: 2021.10.3 Terraform version: v1.0.11 System: Linux Mint 20.02 Kernel: 5.4.0-91-generic x86_64

Error message:

2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: PANIC: runtime error: invalid memory address or nil pointer dereference
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: [signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x10c57b7]
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goroutine 93 [running]:
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goauthentik.io/terraform-provider-authentik/internal/provider.httpToDiag(0x0, 0x14b0800, 0xc00027ca80, 0xc000544368, 0xc000036d20, 0x24)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	goauthentik.io/terraform-provider-authentik/internal/provider/utils.go:94 +0x37
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: goauthentik.io/terraform-provider-authentik/internal/provider.resourceLDAPPropertyMappingRead(0x14c08c8, 0xc0001e5380, 0xc0000d3300, 0x11400e0, 0xc0000a0128, 0xc0001fc6d0, 0xc0003c3908, 0x40e0f8)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	goauthentik.io/terraform-provider-authentik/internal/provider/resource_property_mapping_ldap.go:67 +0x231
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc0002bae00, 0x14c0858, 0xc0001b3c40, 0xc0000d3300, 0x11400e0, 0xc0000a0128, 0x0, 0x0, 0x0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:347 +0x17f
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc0002bae00, 0x14c0858, 0xc0001b3c40, 0xc0001e71e0, 0x11400e0, 0xc0000a0128, 0xc0000a1370, 0x0, 0x0, 0x0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:624 +0x1cb
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc0000c82e8, 0x14c0858, 0xc0001b3c40, 0xc0001b3c80, 0xc0001b3c40, 0x40b965, 0x12a4da0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:576 +0x47d
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadResource(0xc0005948c0, 0x14c0900, 0xc0001b3c40, 0xc0001e4ea0, 0xc0005948c0, 0xc0001f7410, 0xc0001cfba0)
2021-11-29T12:32:52.644+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:298 +0x105
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler(0x12f12c0, 0xc0005948c0, 0x14c0900, 0xc0001f7410, 0xc0001e4e40, 0x0, 0x14c0900, 0xc0001f7410, 0xc0001a2380, 0xe0)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:344 +0x214
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/grpc.(*Server).processUnaryRPC(0xc00023cc40, 0x14c8af8, 0xc000083e00, 0xc000143e00, 0xc000457290, 0x1bf4630, 0x0, 0x0, 0x0)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	google.golang.org/[email protected]/server.go:1194 +0x52b
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/grpc.(*Server).handleStream(0xc00023cc40, 0x14c8af8, 0xc000083e00, 0xc000143e00, 0x0)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	google.golang.org/[email protected]/server.go:1517 +0xd0c
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000038410, 0xc00023cc40, 0x14c8af8, 0xc000083e00, 0xc000143e00)
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	google.golang.org/[email protected]/server.go:859 +0xab
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: created by google.golang.org/grpc.(*Server).serveStreams.func1
2021-11-29T12:32:52.645+0100 [DEBUG] provider.terraform-provider-authentik_v2021.10.3: 	google.golang.org/[email protected]/server.go:857 +0x1fd
2021-11-29T12:32:52.646+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-11-29T12:32:52.646+0100 [ERROR] plugin.(*GRPCProvider).ReadResource: error="rpc error: code = Unavailable desc = transport is closing"

Hi.

I did password recovery, added policy HIBP to it, but it doesn't work like that, because the policy is waiting for the password field, but it doesn't let you enter the password. If this policy is set to a lower level, the policy does not check the password. Tell me what I'm doing wrong, and how to set this policy correctly.

Currently, the terraform provider causes an inconsistent client_secret when the backend generates it. This causes other resources that use that client secret to then fail to create because of inconsistent input data.

Terraform version: 2022.6.3 Authentik version: 2022.5.3

I believe it is an issue with the storage as running the system in trace mode shows the api return to be consistent, but for it not to be what was stored in tfstate. This would be either an issue when the secret is deserialized from json or when it is stored.

Example

A trivial example between connecting authentik with hashicorp vault:

resource "authentik_provider_oauth2" "vault" {
  name               = "vault"
  client_id          = "vault"
  signing_key        = "SomeEXISTINGKEy
  authorization_flow = "6c990535-adcf-4196-8b87-4ec8548c1b20"
  redirect_uris = [
    "http://localhost:8200/ui/vault/auth/oidc/oidc/callback",
    "http://localhost:8200/oidc/callback",
    "http://localhost:8250/oidc/callback",
  ]
}

resource "authentik_application" "vault" {
  name              = "Vault"
  slug              = "vault"
  protocol_provider = authentik_provider_oauth2.vault.id
}

resource "vault_jwt_auth_backend" "authentik" {
  type               = "oidc"
  path               = "oidc"
  description        = "out authentik backend"
  oidc_client_id     = authentik_provider_oauth2.vault.client_id
  oidc_client_secret = authentik_provider_oauth2.vault.client_secret
  oidc_discovery_url = "http://localhost:9000/application/o/${authentik_application.vault.slug}/"
  default_role       = "reader"
  tune {
    listing_visibility = "unauth"
  }
}

This will error with the following:

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for vault_jwt_auth_backend.authentik to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/vault" produced an
│ invalid new value for .oidc_client_secret: inconsistent values for sensitive attribute.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

However, running terraform in trace mode will show more detail:

{"pk":4,"name":"vault","authorization_flow":"6c990535-adcf-4196-8b87-4ec8548c1b20","property_mappings":[],"component":"ak-provider-oauth2-form","assigned_application_slug":"vault","assigned_application_name":"Vault","verbose_name":"OAuth2/OpenID Provider","verbose_name_plural":"OAuth2/OpenID Providers","meta_model_name":"authentik_providers_oauth2.oauth2provider","client_type":"confidential","client_id":"vault","client_secret":"QG`}7gW|M#%$Mu,$I;{RSF_M[7x\\4Ub1qORcx4xS[7?g9>=rRYuj=GK^,_!s0^QX+MSTL-GV#TX_D\\rg-UzESGE@wnGZw0c:UuxFvq|SYIZ0M)C}rg1HMjh&.urHN!sO","access_code_validity":"minutes=1","token_validity":"minutes=10","include_claims_in_id_token":true,"signing_key":"2478cf44-fa23-42c0-9370-a8fd12c61aeb","redirect_uris":"http://localhost:8200/ui/vault/auth/oidc/oidc/callback\nhttp://localhost:8200/oidc/callback\nhttp://localhost:8250/oidc/callback","sub_mode":"hashed_user_id","issuer_mode":"per_provider","verification_keys":[]}: timestamp=2022-07-04T00:29:13.502-0400
2022-07-04T00:29:13.503-0400 [INFO]  provider.terraform-provider-authentik_v2022.6.3: 2022/07/04 00:29:13 
GET /api/v3/providers/oauth2/4/ HTTP/1.1
Host: localhost:9000
User-Agent: [email protected]
Accept: application/json
Authorization: Bearer cHMFTeCsS2T1lPyXcwaUELBqKutqyxOlfFueGs0i15EC3JXjDTHRqrBJrUFVM2l39KRjrCUcjvWRNQ8voDbz9in5KglzKrb0k5sZvdQzRN9uejSMBWTJWi8mvjWkJpAM
Accept-Encoding: gzip
: timestamp=2022-07-04T00:29:13.502-0400
2022-07-04T00:29:13.547-0400 [WARN]  Provider "provider[\"registry.terraform.io/goauthentik/authentik\"]" produced an unexpected new value for authentik_provider_oauth2.vault, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .client_secret: inconsistent values for sensitive attribute

So the client secret is detected drifting and this is indeed the case, inspecting the tfstate file I find:

            "client_secret": "QG`}7gW|M#%$Mu,$I;{RSF_M[7x\\4Ub1qORcx4xS[7?g9\u003e=rRYuj=GK^,_!s0^QX+MSTL-GV#TX_D\\rg-UzESGE@wnGZw0c:UuxFvq|SYIZ0M)C}rg1HMjh\u0026.urHN!sO",

For ease of comparison, the client_secret from the api response repeated here to make it easier to see:

"client_secret":"QG`}7gW|M#%$Mu,$I;{RSF_M[7x\\4Ub1qORcx4xS[7?g9>=rRYuj=GK^,_!s0^QX+MSTL-GV#TX_D\\rg-UzESGE@wnGZw0c:UuxFvq|SYIZ0M)C}rg1HMjh&.urHN!sO"

It appears it has incorrectly translated some of the characters into unicode when storing them that is causing issues.

A data source authentic_stage would make it easier to provide an adaption of standard flows, because existing stages could be used and only the stages, which need to be changed, have to be provided.

I am getting a diff for the following resource definition:

resource "authentik_stage_identification" "identification" {
  name           = "terraform-identification"
  user_fields    = ["username","email"]
  #sources        = ["authentik.core.auth.InbuiltBackend"]
  password_stage = authentik_stage_password.password.id
  recovery_flow  = authentik_flow.recovery.uuid
  case_insensitive_matching = true
}

Delta by terraform apply:

  # module.authentik.authentik_stage_identification.identification will be updated in-place
  ~ resource "authentik_stage_identification" "identification" {
        id                        = "d335a821-9929-47a3-ad93-bc6a609a4a1c"
        name                      = "terraform-identification"
      ~ sources                   = [
          - "6118cbe1-c3b2-4b21-9d4e-9d4ef1fedca5",
        ]
        # (6 unchanged attributes hidden)
    }

We need a data provider for the Authentik built-in authentication so its UUID can be used.

The resource_stage_promt resource was being returned in inverse order and therefore generating always the following diff by terraform apply:

  ~ resource "authentik_stage_prompt" "password_change" {
      ~ fields              = [
          - "2bc5513c-0e3f-4e60-937d-6c001a589eb4",
            "0610c421-d7fa-45ff-a6c8-14e4329f5fca",
          + "2bc5513c-0e3f-4e60-937d-6c001a589eb4",
        ]
        id                  = "2a4533c2-5e1f-4cce-a761-76a2b876ce6a"
        name                = "terraform_password_change"
        # (1 unchanged attribute hidden)
    }

This PR sorts the reply from the API to avoid the delta.

Bumps goauthentik.io/api from 0.2021125.1 to 1.2021.9.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Hi All, I have an issue running the terraform init command. Its not taking the proxy authentication and I can't find a way to run it using the proxy authentication. even I configure powershell with my proxy setting init command keep failing.

When I do a curl command https://registry.terraform.io with proxy settings its working.

Can someone please help me how to run this "terraform init" command with proxy settings + proxy authentication?

consider the following resource

resource "authentik_stage_prompt_field" "username" {
  field_key              = "username"
  required               = true
  type                   = "text"
  label                  = "Username"
  placeholder = <<EOT
try:
  return user.username
except:
  return ''
EOT
  # placeholder            = "try:\n    return user.username\nexcept:\n    return ''"
  placeholder_expression = true
  order                  = 200
}

This will always show a change

Terraform will perform the following actions:

  # authentik_stage_prompt_field.username will be updated in-place
  ~ resource "authentik_stage_prompt_field" "username" {
        id                     = "999be44a-97b5-4ae0-a87c-32207bb1dd60"
      ~ placeholder            = <<-EOT
            try:
              return user.username
            except:
              return ''
        EOT
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

When converting it to inline (eg replacing the whitespace with escape characters) it will work properly.

Hi , would be great to have a data "authentik_prompt_fields" at i don't know how to get UUID of existingprompt field

another suggestion would be great to modify existing stage with terraform, instead of creating quasi same stage , with only one difference.

john

I started a crossplane provider for authentik based on terrajet and this terraform provider. Is there any interest to use this and/or share it here in the future? provider-jet-authentik

I would like to create a new tenant with Terraform and have that one be the default one instead of authentik-default without having to manually mark it as the non-default (or having to terraform import it). Right now if I try to do it, I get an error saying that only one tenant can be the default, and Terraform refuses to create the resource.

Would it be possible to either make the behavior of default = true such that if only authentik-default exists the provider makes the new one the default OR to have an explicit force_default field that will trigger this behavior?

I know that the behavior can get a little more complicated when having more than one non-default tenants and I'm not sure how that could be handled. Maybe just documenting that you can only use default = true (or force_default = true) on one authentik_tenant instance, and/or use ignore_changes on all the other ones?