feat: add authentik-ldap module

tofu/modules/authentik-ldap/.terraform.lock.hcl

@@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/goauthentik/authentik" {
+  version     = "2025.10.1"
+  constraints = "2025.10.1"
+  hashes = [
+    "h1:X0bV1LqI7nu4np+xiGP8yLVfyl6rh/XNXz7QQ7Hsr6g=",
+    "zh:02ac2478c8901043a0455b8b6b8185e9814786bd802a9aa6d4126d4f56d4735d",
+    "zh:24d680732a9ea72a86c1e7bf4aa13ab9cc0c60ee4bd4cae8af43670eff88edd9",
+    "zh:4f415f177671eeea2234eb835479bbb710e811e60864cec6a00ee0e03a412fa3",
+    "zh:55498caa20504dd52a1870823e15dec6c78948eac2e6ec98e6ec122b5407630b",
+    "zh:570f9ca7f909bda94b97feab7898ef392e01ae6178d8a9d36aac984d8a433ec1",
+    "zh:92ac78b97e2d5310ed82233980f941ebecf69ae1f9d03f3e719d8687aa6f4cc7",
+    "zh:95f852a4e7d22daac86901ebc6b327d5987832b707ad3fd3aeff6c36dd088717",
+    "zh:98c8659f468a58a9d224b2fca9d5909d39bcabf9e2593e9b4a574dbffb6e2dca",
+    "zh:a7d1428ec803ae794ebb05d772fa44020827a6b762a5b2da11869fc618ea59cd",
+    "zh:b1ef054b09fed4282c625a38a4aa6d1276c58e541f4cffcc716aa7d2b773f30a",
+    "zh:b95e3edeb0da3ee0c0392afa18957cf7d41b2f71ed08a50f4bf38010aaf77d30",
+    "zh:c3ce9f57889e6bb33f34ee4cc4463a77652b811351bbb25e6fc5ba9dc0c61e14",
+    "zh:f6d2fe811ad5c242ced99a6b51b2d7f60f060d4bc6837fe1026c2abb7cb6f9a4",
+    "zh:f78b8e20e7d9f53e1622051c706369a7c6d0f1e37c16df67a214697cd5d0a4fb",
+  ]
+}

tofu/modules/authentik-ldap/main.tf

@@ -0,0 +1,45 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2025.10.1"
+    }
+  }
+}
+
+
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+
+data "authentik_flow" "default-invalidation-flow" {
+  slug = "default-invalidation-flow"
+}
+
+
+resource "authentik_provider_ldap" "provider_ldap" {
+  base_dn     = var.base_dn
+  bind_flow   = data.authentik_flow.default-authentication-flow.id
+  name        = var.name
+  unbind_flow = data.authentik_flow.default-invalidation-flow.id
+}
+
+
+resource "authentik_application" "app" {
+  name              = var.app_name
+  slug              = var.app_slug
+  protocol_provider = authentik_provider_ldap.provider_ldap.id
+  open_in_new_tab   = var.open_in_new_tab
+  meta_icon         = var.app_icon
+  meta_description  = var.app_description
+  meta_publisher    = var.app_publisher
+  meta_launch_url   = var.app_url
+}
+
+resource "authentik_policy_binding" "app_access" {
+  target = authentik_application.app.uuid
+  group  = var.app_access_group_id
+  order  = 0
+  count  = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists
+}

tofu/modules/authentik-ldap/vars.tf

@@ -0,0 +1,52 @@
+variable "app_name" {
+  description = "App name"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
+  type        = string
+}
+
+
+variable "app_access_group_id" {
+  description = "ID of a group which will have access to the app"
+  type        = string
+}
+
+
+variable "open_in_new_tab" {
+  type        = bool
+  description = "Open apps in a new tab"
+  default     = true
+}
+
+variable "app_icon" {
+  type    = string
+  default = ""
+}
+
+variable "app_description" {
+  type    = string
+  default = ""
+}
+
+variable "app_publisher" {
+  type    = string
+  default = ""
+}
+variable "app_url" {
+  type    = string
+  default = ""
+}
+
+
+variable "base_dn" {
+  type        = string
+  description = "Base DN"
+}
+
+variable "name" {
+  type        = string
+  description = "Name"
+}

tofu/modules/authentik-oidc/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.10.1"
     }
   }
 }

tofu/modules/authentik-proxy/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     authentik = {
       source  = "goauthentik/authentik"
-      version = "2025.10.0"
+      version = "2025.10.1"
     }
   }
 }