diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index dc5f000..a8bcece 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -24,42 +24,42 @@ provider "registry.opentofu.org/cyrilgdn/postgresql" {
}
provider "registry.opentofu.org/goauthentik/authentik" {
- version = "2024.8.4"
- constraints = "~> 2024.8.0"
+ version = "2025.2.0"
+ constraints = "~> 2025.2.0"
hashes = [
- "h1:bZS9RwjEc1FlLFMidiCzyUrFTC7VONufHBDgGjAtSWs=",
- "zh:13040879209e226ba73dd3492849301f5d6233098decf4789dde4e75a7db00a3",
- "zh:21e5b1403749e4577c85efe1e1ffbc7f70f910c9b025a66ee36d6d9e7a26834d",
- "zh:3290e95ff74aa269031df2d9604526c977826d76c4c1c03b61c61d4767775f44",
- "zh:5648de4e32e83f1162844dfae55c2c2ff23eb1b0ae0c6a251a38917d6c7407f0",
- "zh:5a12f804038d3d84819954fe7666b84aa24bc2284682e5732302c0811401faa3",
- "zh:6b61eaad598256beb677f170fcb63c2f56c8a9e2a8f6516c98802fab0009807d",
- "zh:8071892662952c013bdee898a4f5dc4116c18e7e2fbcb0fa96afdf56e78a582f",
- "zh:94aead29a3fb563c84eca7275a88f7b49e14f6bc7344cc06c766fdf638098d6d",
- "zh:96ad4fddd7c4ff84f6c18e7106a7565c545e545ac8b8419f2c76216760e1a35a",
- "zh:c5105037a5d9f0be8fd6a3ecbf08928e26acd3af587dbeb099a328c994cef6f6",
- "zh:c69b47759a0b831270ba074002078ebf375da712f8c306053b880946cb80ae14",
- "zh:cb76e7fcdffa73055670f2ecf88286353a3d70a9cc3528e77217ea00465a32c2",
- "zh:d95b39d122b61c833e234b3fdf423495685cb20456efd761fdcbafc3817248e1",
- "zh:fc1a55ce2f8f7872f6911afd68d5f76472ba247a2ad2d739010d15add2c7e268",
+ "h1:q5hy+FtU9m57Q5s1woKat+m/4PJbz6vcSGkPTnohDXs=",
+ "zh:0bb96e37ac26c1718572c3bb1a4d30fb3c9dc94639e8d9f10db83394a636e829",
+ "zh:207822ee1ee4c76ef64a2adc5dbaa2ea253f7fbb0cde0561c92af04fe1ddbeba",
+ "zh:3e3d33149912946b5026070df615da87505c3dd4eaa0e414c8cd4dbd701ee182",
+ "zh:430419376b2b4104518fab5e2689b360612de7283b0a31dde35f9fd62d0c5e17",
+ "zh:51a081059dc8b71fee79807b76449df5735749ff5e05f7ea0d572f4cb0e088f9",
+ "zh:594ab6d4bad1bbdc47b1f5ca2126192d41c71ae7c9f4f5cc00ad50981e5b7cfe",
+ "zh:5d526d9af9fdb34b7218fc2c2672f0673ce553605f3233de8f98d1080625d9f9",
+ "zh:6ce248cf8663f1968139e7b4d02c4477388be73fac7f3223c8fe19971a112d4c",
+ "zh:9d0e9dd50c81c2b12de59a539d26896b54b74eb0b3ee17d0314eb47d527b3596",
+ "zh:a522f8ef643743c6613fcf66bde31a40e3b2121d2e09c7c48b806920524ffd13",
+ "zh:aecfcfac59ce3a9de8b707b5ed6f3485169ccfabda15f2a61ef8b17f39e92e83",
+ "zh:d3af22ed49db703207b7697d385f65d4379e0748a50af97283cd7fde0487d736",
+ "zh:d5d853844d84349aa454b4d1a7d68800e747e1fc3c12fe522088747c06fcba52",
+ "zh:f7e11091d75e26e4033eb0bf96ffe7b1444e07b81a8cb1aae1ab022b2dc6d164",
]
}
provider "registry.opentofu.org/hashicorp/aws" {
- version = "5.90.1"
+ version = "5.94.1"
constraints = "~> 5.0"
hashes = [
- "h1:u//6jTzb1xx7ITJUAT7TkqcVgYNmo63uxpjMlbshKWI=",
- "zh:090d7544b88d928049094f24d390d3432edc0ad191a096e68dd775500fe0ca1b",
- "zh:0ce79633dd94ddb6d9789c540140c2afd67f45147367dbe56e01919fad2d1291",
- "zh:12218248e4efbfa9ad0541acbb27e679e7d90e69c2d84bc8d731706ac6d75abf",
- "zh:3ffd37af717ae1494c240a51519e3408c755feeb7865220101081f1116140fa9",
- "zh:41c88889e7075a21e196255056e5d6899fa2ac4b59b1f2e267e5f838945f15f0",
- "zh:8b4874a7c1d27788c15e83e303097a3235a9b2adc5fa6998bb1bd4770381e0a2",
- "zh:a3677cee57d18a8ac70361f254366fd5af99d5e25930a14816fa4ab0c2b911db",
- "zh:b22a4aae3e1b47c3d84cb070036375cd11888c1e678a4dbe263b5458f1d0870d",
- "zh:c0c7490b6e2d4fe34a1a5e16a72e06e109ae2c75356ca2b559550f6f5b48324e",
- "zh:edfc1927e0ace6b2520f11cb45672181c63a58218bf7f6a93daf37e0301919b7",
+ "h1:Jj2epe7xRnMxRvgQxkYYc48eGRtPTixTHW84D4ViNfg=",
+ "zh:2cdc129ba213e949e48ec8edd43b288a403de879a953fdf65b5a261d06e0a41b",
+ "zh:30729876ada83b3a87863097adcf43ba0f523adf0c123b64d6b07854252e3fa1",
+ "zh:3d3b0a09fce307848871f145a89edf26ab8dc6138d03bbb6effa280e904a7590",
+ "zh:4751905b38328d1358343adb1ca4de375cb5d04444b1b9ca65ede5f8673e99ea",
+ "zh:90f679d2c9ef92307b93e345f8617e2b8901d71b3843fd463e2206e632060d55",
+ "zh:a6afd6da08b27630e5d723983de2e5d72f559a4acd2cbe5d4f52c9d054958e02",
+ "zh:b718c6f1cfc19e61104f0c058e173db6a3720a7ffca226d2d0a16d899845d27d",
+ "zh:b738cfde4bbf22446d8fc0f1952f754ed3996c1a13395fc2d17c4fd904e9c110",
+ "zh:e0c0b8166abc935e30aaf834091424b710d1ce7b18d2da2e4619ee70f065904e",
+ "zh:eaf138b103328edf5317e64af3013e25ba337d20fa1854c2a4199fcb2a13cbf0",
]
}
@@ -150,25 +150,25 @@ provider "registry.opentofu.org/kristofferahl/healthchecksio" {
}
provider "registry.opentofu.org/l-with/mailcow" {
- version = "0.7.5"
+ version = "0.7.6"
constraints = "~> 0.7.5"
hashes = [
- "h1:gEiN/SOJl+T1V585/Pqk/Y3FkX8+An/M3zbztdEfmWk=",
- "zh:0919018dfdab37f86b61dfe2ecd8d4b6a6532983edc6deab9e7f3d5ec1a45375",
- "zh:16e513369e37f2d8fab43545940991c3ce2b140bb37c92bc77ec84240235ad26",
+ "h1:WCVoK/cRBuXoh/tEbp2xvNZWgU/f7RrQGzMk8OySktk=",
+ "zh:05949d1244453d44a36bffc715dfd4c96073e256208f8d959dd58001d6ea4306",
+ "zh:160498ea770ab83b36e63e56da3cbe5cb21973e593ebe204b7c01747a6bfbf96",
"zh:19bcf3660ac7545103cf999e0066442f9d6350db9654e1496726520cef287246",
- "zh:1f6d827f5c0a2253550def77d2473bf62b72355930b5d00f59dc1b0af5aff953",
- "zh:242d5cb545f1b20be24672e984fb78c27bf21da27c25ccbac8cd8c3142d32d83",
- "zh:40a17c3734c330f2d0e11adb377b04d8bf11e799e78f4bacf2797ee589312756",
- "zh:475ac6440db8cb80df1e8e5bb475f7dd73548fabd50e60e78e66ccd2e6e63baf",
- "zh:48a67a019575ca784275dbcd9f7ee209012c0b311db8b82b91511f7970e1f9d2",
- "zh:6dc3f2a073264cf79230811f528d3a916b8753031c0dad80b9999f64aa6951ba",
- "zh:71d64c63cb4abca1fc920d694785551dd9ef15b5b601a6682ec647bae4acc881",
- "zh:7a7fa7621ac582802329565a010a96114a1c8a5638b8aefe62095bdbefc1c988",
- "zh:a11f6332a9d5e2d1ca01a906576d48dcf99e9f75c6e376157e35c24aef1039b9",
- "zh:bec618cd75e300a8ae98852a70b1b56cd0c2bc61e4e1b11178029822fffc32b4",
- "zh:c8132e507938516f2595a00b1bc19e666fe8a3df0077ca3bbeb9107dacd4fd2d",
- "zh:cfff5048bc75345eda1bc6067e4e92c8b7c24d5fdd985fdb5d2e30997d644d15",
+ "zh:1e10539c5c3a780e3a248bfc5f6d0d8c6045366eb56739a5349ce13ceac6c0e1",
+ "zh:2183fe7ede099dd0e150ed7e3536d9cf9e0cf15ba8440be1943d6926761caf99",
+ "zh:2dda4225b8158d84d08cac1579ffbab3b8c381c396e9200812fe9e9feb3ee879",
+ "zh:5efce9eb3dadec519037ee4f3d50315ee15c2bdd1d9080e5bbdd5f4870f3b7fe",
+ "zh:8bf6ad9c35b66939bef49ae044362248671a43e9dc176b35b697d7aba83951a5",
+ "zh:9b04ce957525a988f7fb146a727e66bcef2c8a0a81e975d7bd461ea09703a1c5",
+ "zh:bb9960eba5bfb10d9048b495308e5e94e15c068feb8e8041aa8901b414917774",
+ "zh:bf414ad7ea1a2b999c1b52bdda16362823b86740ef055046c11f1626f60614f8",
+ "zh:cb76c40272ade4b6037f709e6aecebb4d638799527b75c39eb4ca88bc5851cef",
+ "zh:d595d191fd5f42b11222e69725ad6fd54b45f9300ebec48e949260a51cbe7f05",
+ "zh:de28f531fadca5c5b1b2ff31de91803c696612323ed899c3b66596ad17751db6",
+ "zh:f3a07d0e09fd061a1726fdf28cc7d2aa45ba8cdbff1d2ba08e71fd019c8724ba",
]
}
diff --git a/main.tf b/main.tf
index 05f15fe..3f6ba38 100644
--- a/main.tf
+++ b/main.tf
@@ -27,7 +27,7 @@ terraform {
authentik = {
source = "goauthentik/authentik"
- version = "~> 2024.8.0"
+ version = "~> 2025.2.0"
}
mailcow = {
source = "l-with/mailcow"
diff --git a/modules/services/authentik.tf b/modules/services/authentik.tf
index 5523583..94644e9 100644
--- a/modules/services/authentik.tf
+++ b/modules/services/authentik.tf
@@ -1,6 +1,10 @@
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
+data "authentik_flow" "default_invalidation_flow" {
+ slug = "default-provider-invalidation-flow"
+}
+
data "authentik_certificate_key_pair" "ecdsa" {
name = "auth.serguzim.me"
@@ -52,12 +56,16 @@ resource "authentik_group" "minio_users" {
resource "authentik_provider_oauth2" "service_providers" {
- for_each = local.services_auth
- name = each.key
- client_type = "confidential"
- client_id = each.key
- authorization_flow = data.authentik_flow.default_authorization_flow.id
- redirect_uris = each.value.auth_redirects
+ for_each = local.services_auth
+ name = each.key
+ client_type = "confidential"
+ client_id = each.key
+ authorization_flow = data.authentik_flow.default_authorization_flow.id
+ invalidation_flow = data.authentik_flow.default_invalidation_flow.id
+ allowed_redirect_uris = [for redir in each.value.auth_redirects : {
+ matching_mode = "strict",
+ url = redir,
+ }]
property_mappings = flatten([
data.authentik_property_mapping_provider_scope.default_scopes.ids,
each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
diff --git a/modules/services/main.tf b/modules/services/main.tf
index 4dc070a..5ef7d96 100644
--- a/modules/services/main.tf
+++ b/modules/services/main.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
- version = "~> 2024.8.0"
+ version = "~> 2025.2.0"
}
mailcow = {
source = "l-with/mailcow"