From 96843e24b924f6980dbe6e724b7a02b4919947be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?c=C4=83t=C4=83lin?= <catalin@roboces.dev>
Date: Tue, 26 Nov 2024 20:06:33 +0100
Subject: [PATCH] chore(deps): update terraform authentik to v2024.10.2

---
 tofu/authentik/.terraform.lock.hcl   | 47 ++++++++--------------
 tofu/authentik/main.tf               | 58 ++++++++++++++++++++--------
 tofu/modules/authentik-oidc/main.tf  |  8 ++--
 tofu/modules/authentik-oidc/vars.tf  |  2 +-
 tofu/modules/authentik-proxy/main.tf |  2 +-
 5 files changed, 64 insertions(+), 53 deletions(-)

diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl
index cb46ce0..fc45e2c 100644
--- a/tofu/authentik/.terraform.lock.hcl
+++ b/tofu/authentik/.terraform.lock.hcl
@@ -2,36 +2,23 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/goauthentik/authentik" {
-  version     = "2024.10.1"
-  constraints = "2024.10.1"
+  version     = "2024.10.2"
+  constraints = "2024.10.2"
   hashes = [
-    "h1:/Eo+yQyGAKK67bkgt1plX5X41mkRKu5br66XYnL/UyQ=",
-    "h1:1S06FnDvjDsdOm/2J/M95FypohflaT0a9OUOwl4S87o=",
-    "h1:7c3PvOLtsB0F4KHdGT1bTq2mzeNjx4TaNlVKRX78vAc=",
-    "h1:8NUPNLWr9/klFJckfw6HkOMqsGhTTdePUmlBRLOIJjY=",
-    "h1:Ariy1e/DAbcoXS9Wud/Ad3rEC1cLqQ7HdcHBzfTRiSM=",
-    "h1:Bc9zVu8DyzeveEqEaCitlsvzBEY6CU/F648PEjrFYuk=",
-    "h1:D5mConUujTcrau12WRa+Qg1lvPJLzjc76ClIYevJtVw=",
-    "h1:FFYDaQDN8nbfsjwp8kw7YO6xsFCJlhtKSXx9gdLLbok=",
-    "h1:Qfd127te/m5E0LAJvJ9kGWKdCXQdFXlz3ve+nV3HsWM=",
-    "h1:RpNxc5WPT5H3WoKP8t7yKLO7MUAuHgfjm/rifaKpYM8=",
-    "h1:XifS+/OiEMhGI7MQnQtF3ACScqWB/N2Sr/bIrvSKOag=",
-    "h1:YMreOu0B0U2v8azRZ/iVJPhoDedlATNHCam1iztTUks=",
-    "h1:eIMjryDbwEUWlBOFPtGWPf9NdNVWeGLeniVzafoPXZU=",
-    "h1:v6XQwr4PDKtgHtdgCq03iYme4VaJAG8kSH4aKJL0OSw=",
-    "zh:149c76107f75ea5b530409d81cd3b63abc5478831c1f794df1fc12acd5f7ac78",
-    "zh:60bf7a62ec4bb742121f708b1e964b6bc816988e14c9e831723f0788a5c22471",
-    "zh:625f1eecf87e1d741bc99b69aa0aac3c82a4040bb9e704e2c20b09e562517c20",
-    "zh:690f247fd428dd7659aad3189a86288c784fdedbeb8cd75295aa417338d126b2",
-    "zh:6be8c0c70b18da79b5c7cb19ca445a1607404b7e1caff9bdb8e2330c22a591c6",
-    "zh:77bd031a28ec92a215cc5c12381791239ad43087c37f73ab1538f909e15ceae5",
-    "zh:78ffd4fe7b65220db2d33430240507395a71ef8e1dd1c22d82fd547855113df5",
-    "zh:7c0414978a45481bbeb8fc1aed1806409a2499967bd30edfcf9c34d1005d0faa",
-    "zh:7df2c43de2555c11b761a938e2414f25165845d932ca95d562ccabfe3a78a209",
-    "zh:819baedab497151fabcc9c887bcb07382a371708e3f9632ae1a58563ba79104f",
-    "zh:891208df7e634c2de7cb164d1ed88d492e7852abd32293b727b5b82f32efd7e7",
-    "zh:b6385a881b7098f6a6260f7b298eb26ef06eeed02a90ffdff9d2d7cf72fdaa27",
-    "zh:ce642bbd35babd93339a80549552823ec743397e456f18dbcffdf5af3fec612e",
-    "zh:ffd96ddda256a49097b21e6e672ef63d532a960bbc5455958102900ce79a4a10",
+    "h1:qjDOLb8+12kZHSM3VsItQCsZYJhDMD4bNKSZi15HQ28=",
+    "zh:06c6c9bb2716052fefc1013ed1a77a12159d5625fe43857700c282e80e2fbba1",
+    "zh:121e45b3d3675df24e2c1bb107e2ed15fc9f1ec8b602b9bdaebec71481addf0c",
+    "zh:2aec74c8df3e3eb56fb09edcb1c7f43c91f932b2ef2327aa855ba0819f11169e",
+    "zh:4f2bf009f43293a24cc8941d4bbab340a53f569a9331aa615a7934f500a64290",
+    "zh:64b150655b47c60e6ae72a2ee754f5019b2baabd4dc292a6b2b960b3a206e218",
+    "zh:78bf3fd7cbac489d23a620743e5af5b85b31fc548433cf86f0861878b68f2666",
+    "zh:7ce7a02671056d476d17652d780ee2bd309ce34eb77746719b7b277ca66b7c58",
+    "zh:84fdb911186918cbba86c1390ce18a4423f0d748216f2d9c8421801b34b41f16",
+    "zh:95db38fb110302707cd70471f5cb2bf361ed6d5987f7b6fe5f3c5855f9dc9b64",
+    "zh:9c24dbf6512637bb1d4201a901dddef0210b440ad8b02717ca1167b75afa6882",
+    "zh:a83bc8bfe87e44c788c3c974e764c7bfb1c5fb982f427a5b928c50e55b48dea6",
+    "zh:b5a4d5d1f2f0e8d65ad29a23bfd72d0d4e3e06e9bacea9463a10e67137833409",
+    "zh:d1e08a662ab7c80373bc13446c9b316a671fcddec6aeffef7ab3649d1bbfb76b",
+    "zh:e1c50a791f2d53f7b464ab122f92062547d5a4ad71297f5e7f0375453cd2034f",
   ]
 }
diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index d7bb06f..3d8f724 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -8,7 +8,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2024.10.1"
+      version = "2024.10.2"
     }
   }
 }
@@ -40,7 +40,7 @@ module "gitea" {
   client_id           = var.gitea_client_id
   client_secret       = var.gitea_client_secret
   app_access_group_id = ""
-  redirect_uris       = ["https://git.roboces.dev/user/oauth2/authentik/callback"]
+  redirect_uris       = [{ matching_mode = "strict", url = "https://git.roboces.dev/user/oauth2/authentik/callback" }]
   app_icon            = "https://git.roboces.dev/assets/img/logo.svg"
   app_description     = "Beyond coding. We forge."
   app_publisher       = "Forgejo"
@@ -55,12 +55,21 @@ module "miniflux" {
   client_id           = var.miniflux_client_id
   client_secret       = var.miniflux_client_secret
   app_access_group_id = ""
-  redirect_uris       = ["https://feeds.roboces.dev/oauth2/oidc/callback", "https://feeds.fuku/oauth2/oidc/callback"]
-  app_icon            = "https://miniflux.app/favicon.ico"
-  app_description     = "RSS aggregator"
-  app_publisher       = "Miniflux"
-  app_url             = "https://feeds.roboces.dev"
-  sub_mode            = "hashed_user_id"
+  redirect_uris = [
+    {
+      matching_mode = "strict",
+      url           = "https://feeds.roboces.dev/oauth2/oidc/callback"
+    },
+    {
+      matching_mode = "strict",
+      url           = "https://feeds.fuku/oauth2/oidc/callback"
+    }
+  ]
+  app_icon        = "https://miniflux.app/favicon.ico"
+  app_description = "RSS aggregator"
+  app_publisher   = "Miniflux"
+  app_url         = "https://feeds.roboces.dev"
+  sub_mode        = "hashed_user_id"
 }
 
 module "portainer" {
@@ -71,7 +80,10 @@ module "portainer" {
   client_secret       = var.portainer_client_secret
   app_access_group_id = authentik_group.admins.id
   redirect_uris = [
-    "https://containers.fukurokuju.dev/"
+    {
+      matching_mode = "strict",
+      url           = "https://containers.fukurokuju.dev/"
+    }
   ]
   app_icon        = "https://www.portainer.io/hubfs/crane-icon.svg"
   app_description = "Kubernetes and Docker container Management Software"
@@ -87,11 +99,13 @@ module "paperless" {
   client_id           = var.paperless_client_id
   client_secret       = var.paperless_client_secret
   app_access_group_id = ""
-  redirect_uris       = ["https://paperless.roboces.dev/accounts/oidc/authentik/login/callback/"]
-  app_icon            = "https://paperless.roboces.dev/favicon.ico"
-  app_description     = "Document manager"
-  app_publisher       = "Paperless"
-  app_url             = "https://paperless.roboces.dev"
+  redirect_uris = [
+    { matching_mode = "strict", url = "https://paperless.roboces.dev/accounts/oidc/authentik/login/callback/" }
+  ]
+  app_icon        = "https://paperless.roboces.dev/favicon.ico"
+  app_description = "Document manager"
+  app_publisher   = "Paperless"
+  app_url         = "https://paperless.roboces.dev"
 }
 
 module "sonarr" {
@@ -136,9 +150,19 @@ module "netbird" {
   client_type         = "public"
   app_access_group_id = authentik_group.vpn.id
   redirect_uris = [
-    "https://vpn.fukurokuju.dev",
-    "https://vpn.fukurokuju.dev.*",
-    "http://localhost:53000"
+    {
+      matching_mode = "strict",
+      url           = "https://vpn.fukurokuju.dev",
+    },
+    {
+      matching_mode = "regex",
+      url           = "https://vpn.fukurokuju.dev.*",
+    },
+    {
+      matching_mode = "strict",
+      url           = "http://localhost:53000"
+    },
+
   ]
   sub_mode = "user_id"
   extra_property_mappings = [
diff --git a/tofu/modules/authentik-oidc/main.tf b/tofu/modules/authentik-oidc/main.tf
index ba8396e..7ba7af3 100644
--- a/tofu/modules/authentik-oidc/main.tf
+++ b/tofu/modules/authentik-oidc/main.tf
@@ -3,12 +3,12 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2024.10.1"
+      version = "2024.10.2"
     }
   }
 }
 
-data "authentik_flow" "default-authorization-flow" {
+data "authentik_flow" "default-authorization-implicit-flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
 
@@ -35,9 +35,9 @@ resource "authentik_provider_oauth2" "provider_oidc" {
   client_id              = var.client_id
   client_secret          = var.client_secret
   client_type            = var.client_type
-  authorization_flow     = data.authentik_flow.default-authorization-flow.id
+  authorization_flow     = data.authentik_flow.default-authorization-implicit-flow.id
   authentication_flow    = data.authentik_flow.default-authentication-flow.id
-  redirect_uris          = var.redirect_uris
+  allowed_redirect_uris  = var.redirect_uris
   property_mappings      = data.authentik_property_mapping_provider_scope.default-scopes.ids
   sub_mode               = var.sub_mode
   signing_key            = var.oidc_signing_key
diff --git a/tofu/modules/authentik-oidc/vars.tf b/tofu/modules/authentik-oidc/vars.tf
index ee9583e..3430106 100644
--- a/tofu/modules/authentik-oidc/vars.tf
+++ b/tofu/modules/authentik-oidc/vars.tf
@@ -35,7 +35,7 @@ variable "app_access_group_id" {
 
 variable "redirect_uris" {
   description = "List of URIs allowed to redirect to"
-  type        = list(string)
+  type        = list(map(string))
 }
 
 variable "sub_mode" {
diff --git a/tofu/modules/authentik-proxy/main.tf b/tofu/modules/authentik-proxy/main.tf
index 62ed0e3..3f8b728 100644
--- a/tofu/modules/authentik-proxy/main.tf
+++ b/tofu/modules/authentik-proxy/main.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2024.10.1"
+      version = "2024.10.2"
     }
   }
 }