make enrollment flow optional for source (#549)

docs/resources/policy_event_matcher.md

@@ -43,6 +43,7 @@ resource "authentik_policy_event_matcher" "name" {
   - `authentik.policies.event_matcher`
   - `authentik.policies.expiry`
   - `authentik.policies.expression`
+  - `authentik.policies.geoip`
   - `authentik.policies.password`
   - `authentik.policies.reputation`
   - `authentik.policies`
@@ -103,6 +104,7 @@ resource "authentik_policy_event_matcher" "name" {
   - `authentik_policies_event_matcher.eventmatcherpolicy`
   - `authentik_policies_expiry.passwordexpirypolicy`
   - `authentik_policies_expression.expressionpolicy`
+  - `authentik_policies_geoip.geoippolicy`
   - `authentik_policies_password.passwordpolicy`
   - `authentik_policies_reputation.reputationpolicy`
   - `authentik_policies.policybinding`
@@ -120,11 +122,17 @@ resource "authentik_policy_event_matcher" "name" {
   - `authentik_sources_ldap.ldapsource`
   - `authentik_sources_ldap.ldapsourcepropertymapping`
   - `authentik_sources_oauth.oauthsource`
+  - `authentik_sources_oauth.oauthsourcepropertymapping`
   - `authentik_sources_oauth.useroauthsourceconnection`
+  - `authentik_sources_oauth.groupoauthsourceconnection`
   - `authentik_sources_plex.plexsource`
-  - `authentik_sources_plex.plexsourceconnection`
+  - `authentik_sources_plex.plexsourcepropertymapping`
+  - `authentik_sources_plex.userplexsourceconnection`
+  - `authentik_sources_plex.groupplexsourceconnection`
   - `authentik_sources_saml.samlsource`
+  - `authentik_sources_saml.samlsourcepropertymapping`
   - `authentik_sources_saml.usersamlsourceconnection`
+  - `authentik_sources_saml.groupsamlsourceconnection`
   - `authentik_sources_scim.scimsource`
   - `authentik_sources_scim.scimsourcepropertymapping`
   - `authentik_stages_authenticator_duo.authenticatorduostage`

docs/resources/rbac_permission_role.md

@@ -62,6 +62,7 @@ resource "authentik_rbac_permission_role" "global-permission" {
   - `authentik_policies_event_matcher.eventmatcherpolicy`
   - `authentik_policies_expiry.passwordexpirypolicy`
   - `authentik_policies_expression.expressionpolicy`
+  - `authentik_policies_geoip.geoippolicy`
   - `authentik_policies_password.passwordpolicy`
   - `authentik_policies_reputation.reputationpolicy`
   - `authentik_policies.policybinding`
@@ -79,11 +80,17 @@ resource "authentik_rbac_permission_role" "global-permission" {
   - `authentik_sources_ldap.ldapsource`
   - `authentik_sources_ldap.ldapsourcepropertymapping`
   - `authentik_sources_oauth.oauthsource`
+  - `authentik_sources_oauth.oauthsourcepropertymapping`
   - `authentik_sources_oauth.useroauthsourceconnection`
+  - `authentik_sources_oauth.groupoauthsourceconnection`
   - `authentik_sources_plex.plexsource`
-  - `authentik_sources_plex.plexsourceconnection`
+  - `authentik_sources_plex.plexsourcepropertymapping`
+  - `authentik_sources_plex.userplexsourceconnection`
+  - `authentik_sources_plex.groupplexsourceconnection`
   - `authentik_sources_saml.samlsource`
+  - `authentik_sources_saml.samlsourcepropertymapping`
   - `authentik_sources_saml.usersamlsourceconnection`
+  - `authentik_sources_saml.groupsamlsourceconnection`
   - `authentik_sources_scim.scimsource`
   - `authentik_sources_scim.scimsourcepropertymapping`
   - `authentik_stages_authenticator_duo.authenticatorduostage`

docs/resources/rbac_permission_user.md

@@ -64,6 +64,7 @@ resource "authentik_rbac_permission_user" "global-permission" {
   - `authentik_policies_event_matcher.eventmatcherpolicy`
   - `authentik_policies_expiry.passwordexpirypolicy`
   - `authentik_policies_expression.expressionpolicy`
+  - `authentik_policies_geoip.geoippolicy`
   - `authentik_policies_password.passwordpolicy`
   - `authentik_policies_reputation.reputationpolicy`
   - `authentik_policies.policybinding`
@@ -81,11 +82,17 @@ resource "authentik_rbac_permission_user" "global-permission" {
   - `authentik_sources_ldap.ldapsource`
   - `authentik_sources_ldap.ldapsourcepropertymapping`
   - `authentik_sources_oauth.oauthsource`
+  - `authentik_sources_oauth.oauthsourcepropertymapping`
   - `authentik_sources_oauth.useroauthsourceconnection`
+  - `authentik_sources_oauth.groupoauthsourceconnection`
   - `authentik_sources_plex.plexsource`
-  - `authentik_sources_plex.plexsourceconnection`
+  - `authentik_sources_plex.plexsourcepropertymapping`
+  - `authentik_sources_plex.userplexsourceconnection`
+  - `authentik_sources_plex.groupplexsourceconnection`
   - `authentik_sources_saml.samlsource`
+  - `authentik_sources_saml.samlsourcepropertymapping`
   - `authentik_sources_saml.usersamlsourceconnection`
+  - `authentik_sources_saml.groupsamlsourceconnection`
   - `authentik_sources_scim.scimsource`
   - `authentik_sources_scim.scimsourcepropertymapping`
   - `authentik_stages_authenticator_duo.authenticatorduostage`

docs/resources/source_oauth.md

@@ -38,10 +38,8 @@ resource "authentik_source_oauth" "name" {
 
 ### Required
 
-- `authentication_flow` (String)
 - `consumer_key` (String)
 - `consumer_secret` (String, Sensitive)
-- `enrollment_flow` (String)
 - `name` (String)
 - `provider_type` (String) Allowed values:
   - `apple`
@@ -64,8 +62,10 @@ resource "authentik_source_oauth" "name" {
 
 - `access_token_url` (String) Only required for OAuth1.
 - `additional_scopes` (String)
+- `authentication_flow` (String)
 - `authorization_url` (String) Manually configure OAuth2 URLs when `oidc_well_known_url` is not set.
 - `enabled` (Boolean) Defaults to `true`.
+- `enrollment_flow` (String)
 - `oidc_jwks` (String) Manually configure JWKS keys for use with machine-to-machine authentication. JSON format expected. Use jsonencode() to pass objects. Generated.
 - `oidc_jwks_url` (String) Automatically configure JWKS if not specified by `oidc_well_known_url`.
 - `oidc_well_known_url` (String) Automatically configure source from OIDC well-known endpoint. URL is taken as is, and should end with `.well-known/openid-configuration`.

docs/resources/source_plex.md

@@ -33,9 +33,7 @@ resource "authentik_source_plex" "name" {
 
 ### Required
 
-- `authentication_flow` (String)
 - `client_id` (String)
-- `enrollment_flow` (String)
 - `name` (String)
 - `plex_token` (String, Sensitive)
 - `slug` (String)
@@ -44,7 +42,9 @@ resource "authentik_source_plex" "name" {
 
 - `allow_friends` (Boolean) Defaults to `true`.
 - `allowed_servers` (List of String)
+- `authentication_flow` (String)
 - `enabled` (Boolean) Defaults to `true`.
+- `enrollment_flow` (String)
 - `policy_engine_mode` (String) Allowed values:
   - `all`
   - `any`

docs/resources/source_saml.md

@@ -41,8 +41,6 @@ resource "authentik_source_saml" "name" {
 
 ### Required
 
-- `authentication_flow` (String)
-- `enrollment_flow` (String)
 - `name` (String)
 - `pre_authentication_flow` (String)
 - `slug` (String)
@@ -51,6 +49,7 @@ resource "authentik_source_saml" "name" {
 ### Optional
 
 - `allow_idp_initiated` (Boolean) Defaults to `false`.
+- `authentication_flow` (String)
 - `binding_type` (String) Allowed values:
   - `REDIRECT`
   - `POST`
@@ -63,6 +62,7 @@ resource "authentik_source_saml" "name" {
   - `http://www.w3.org/2001/04/xmlenc#sha512`
  Defaults to `http://www.w3.org/2001/04/xmlenc#sha256`.
 - `enabled` (Boolean) Defaults to `true`.
+- `enrollment_flow` (String)
 - `issuer` (String)
 - `name_id_policy` (String) Allowed values:
   - `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`

docs/resources/system_settings.md

@@ -2,10 +2,13 @@
 page_title: "authentik_system_settings Resource - terraform-provider-authentik"
 subcategory: "System"
 description: |-
+  
 ---
 
 # authentik_system_settings (Resource)
 
+
+
 ## Example Usage
 
 ```terraform
@@ -17,7 +20,6 @@ resource "authentik_system_settings" "settings" {
 ```
 
 <!-- schema generated by tfplugindocs -->
-
 ## Schema
 
 ### Optional

internal/provider/resource_source_oauth.go

@@ -41,11 +41,11 @@ func resourceSourceOAuth() *schema.Resource {
 			},
 			"authentication_flow": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
 			},
 			"enrollment_flow": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
 			},
 			"enabled": {
 				Type:     schema.TypeBool,
@@ -149,8 +149,12 @@ func resourceSourceOAuthSchemaToSource(d *schema.ResourceData) (*api.OAuthSource
 		UserMatchingMode: api.UserMatchingModeEnum(d.Get("user_matching_mode").(string)).Ptr(),
 	}
 
-	r.AuthenticationFlow.Set(api.PtrString(d.Get("authentication_flow").(string)))
-	r.EnrollmentFlow.Set(api.PtrString(d.Get("enrollment_flow").(string)))
+	if ak, ok := d.GetOk("authentication_flow"); ok {
+		r.AuthenticationFlow.Set(api.PtrString(ak.(string)))
+	}
+	if ef, ok := d.GetOk("enrollment_flow"); ok {
+		r.EnrollmentFlow.Set(api.PtrString(ef.(string)))
+	}
 
 	if s, sok := d.GetOk("request_token_url"); sok && s.(string) != "" {
 		r.RequestTokenUrl.Set(api.PtrString(s.(string)))

internal/provider/resource_source_plex.go

@@ -39,11 +39,11 @@ func resourceSourcePlex() *schema.Resource {
 			},
 			"authentication_flow": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
 			},
 			"enrollment_flow": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
 			},
 			"enabled": {
 				Type:     schema.TypeBool,
@@ -104,8 +104,12 @@ func resourceSourcePlexSchemaToSource(d *schema.ResourceData) *api.PlexSourceReq
 		PlexToken:    d.Get("plex_token").(string),
 	}
 
-	r.AuthenticationFlow.Set(api.PtrString(d.Get("authentication_flow").(string)))
-	r.EnrollmentFlow.Set(api.PtrString(d.Get("enrollment_flow").(string)))
+	if ak, ok := d.GetOk("authentication_flow"); ok {
+		r.AuthenticationFlow.Set(api.PtrString(ak.(string)))
+	}
+	if ef, ok := d.GetOk("enrollment_flow"); ok {
+		r.EnrollmentFlow.Set(api.PtrString(ef.(string)))
+	}
 
 	r.AllowedServers = castSlice[string](d.Get("allowed_servers").([]interface{}))
 	return &r

internal/provider/resource_source_saml.go

@@ -39,11 +39,11 @@ func resourceSourceSAML() *schema.Resource {
 			},
 			"authentication_flow": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
 			},
 			"enrollment_flow": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
 			},
 			"enabled": {
 				Type:     schema.TypeBool,
@@ -135,12 +135,12 @@ func resourceSourceSAML() *schema.Resource {
 
 func resourceSourceSAMLSchemaToSource(d *schema.ResourceData) *api.SAMLSourceRequest {
 	r := api.SAMLSourceRequest{
-		Name:             d.Get("name").(string),
-		Slug:             d.Get("slug").(string),
-		Enabled:          api.PtrBool(d.Get("enabled").(bool)),
-		UserPathTemplate: api.PtrString(d.Get("user_path_template").(string)),
-		PolicyEngineMode: api.PolicyEngineMode(d.Get("policy_engine_mode").(string)).Ptr(),
-		UserMatchingMode: api.UserMatchingModeEnum(d.Get("user_matching_mode").(string)).Ptr(),
+		Name:                     d.Get("name").(string),
+		Slug:                     d.Get("slug").(string),
+		Enabled:                  api.PtrBool(d.Get("enabled").(bool)),
+		UserPathTemplate:         api.PtrString(d.Get("user_path_template").(string)),
+		PolicyEngineMode:         api.PolicyEngineMode(d.Get("policy_engine_mode").(string)).Ptr(),
+		UserMatchingMode:         api.UserMatchingModeEnum(d.Get("user_matching_mode").(string)).Ptr(),
 
 		PreAuthenticationFlow: d.Get("pre_authentication_flow").(string),
 
@@ -154,8 +154,12 @@ func resourceSourceSAMLSchemaToSource(d *schema.ResourceData) *api.SAMLSourceReq
 		NameIdPolicy:             api.NameIdPolicyEnum(d.Get("name_id_policy").(string)).Ptr(),
 	}
 
-	r.AuthenticationFlow.Set(api.PtrString(d.Get("authentication_flow").(string)))
-	r.EnrollmentFlow.Set(api.PtrString(d.Get("enrollment_flow").(string)))
+	if ak, ok := d.GetOk("authentication_flow"); ok {
+		r.AuthenticationFlow.Set(api.PtrString(ak.(string)))
+	}
+	if ef, ok := d.GetOk("enrollment_flow"); ok {
+		r.EnrollmentFlow.Set(api.PtrString(ef.(string)))
+	}
 
 	if s, sok := d.GetOk("slo_url"); sok && s.(string) != "" {
 		r.SloUrl.Set(api.PtrString(s.(string)))