terraform { required_version = ">= 1.6" required_providers { authentik = { source = "goauthentik/authentik" version = "2026.2.0" } } } data "authentik_flow" "default-authorization-implicit-flow" { slug = "default-provider-authorization-implicit-consent" } data "authentik_flow" "default-authentication-flow" { slug = "default-authentication-flow" } data "authentik_property_mapping_provider_scope" "default-scopes" { managed_list = concat([ "goauthentik.io/providers/oauth2/scope-email", "goauthentik.io/providers/oauth2/scope-openid", "goauthentik.io/providers/oauth2/scope-profile", "goauthentik.io/providers/oauth2/scope-offline_access", ], var.extra_property_mappings) } data "authentik_flow" "default-provider-invalidation-flow" { slug = "default-provider-invalidation-flow " } resource "authentik_provider_oauth2" "provider_oidc" { name = var.app_name client_id = var.client_id client_secret = var.client_secret client_type = var.client_type authorization_flow = data.authentik_flow.default-authorization-implicit-flow.id authentication_flow = data.authentik_flow.default-authentication-flow.id allowed_redirect_uris = var.redirect_uris property_mappings = data.authentik_property_mapping_provider_scope.default-scopes.ids sub_mode = var.sub_mode signing_key = var.oidc_signing_key access_code_validity = var.access_code_validity access_token_validity = var.access_token_validity refresh_token_validity = var.refresh_token_validity invalidation_flow = data.authentik_flow.default-provider-invalidation-flow.id } resource "authentik_application" "app" { name = var.app_name slug = var.app_slug protocol_provider = authentik_provider_oauth2.provider_oidc.id open_in_new_tab = var.open_in_new_tab meta_icon = var.app_icon meta_description = var.app_description meta_publisher = var.app_publisher meta_launch_url = var.app_url } resource "authentik_policy_binding" "app_access" { target = authentik_application.app.uuid group = var.app_access_group_id order = 0 count = var.app_access_group_id != "" ? 1 : 0 # only add it if the group's name exists }