Terraform for Authentik as IdentityProvider in AWS Identity Center

aws.tf

# Authentik SAML Provider
resource "authentik_provider_saml" "aws" {
  name               = "AWS IAM Identity Center"
  authorization_flow = data.authentik_flow.default_authorization_flow.id
  invalidation_flow  = data.authentik_flow.default_invalidation_flow.id
  acs_url            = "https://eu-central-1.signin.aws.amazon.com/platform/saml/acs/XXXX"
  audience           = "https://eu-central-1.signin.aws.amazon.com/platform/saml/d-YYYY"
  issuer             = "https://eu-central-1.signin.aws.amazon.com/platform/saml/d-YYYY"
  signing_kp         = data.authentik_certificate_key_pair.default.id
  sp_binding         = "post"
  property_mappings = []
  name_id_mapping = data.authentik_property_mapping_provider_saml.username.id
}

data "authentik_property_mapping_provider_saml" "username" {
  managed = "goauthentik.io/providers/saml/username"
}

data "authentik_group" "aws_users" {
  name = "aws-users" # I have created this group to restrict the users which are synced with AWS
}

# Authentik Application
resource "authentik_application" "aws" {
  name                  = "AWS Console"
  slug                  = "aws-console"
  protocol_provider     = authentik_provider_saml.aws.id
  meta_launch_url       = "https://ZZZZ.awsapps.com/start"
  open_in_new_tab       = true
  backchannel_providers = [authentik_provider_scim.aws.id]
}

# Authentik SCIM Provider
resource "authentik_provider_scim" "aws" {
  name         = "AWS IAM Identity Center SCIM"
  url          = var.aws_scim_url
  token        = var.aws_scim_token
  exclude_users_service_account = true
  filter_group = data.authentik_group.aws_users.id
  property_mappings = [
    resource.authentik_property_mapping_provider_scim.aws_scim_user_mapping.id,
  ]
  property_mappings_group = [
    data.authentik_property_mapping_provider_scim.scim_group_mapping.id,
  ]
}

data "authentik_property_mapping_provider_scim" "scim_group_mapping" {
  managed = "goauthentik.io/providers/scim/group"
}

# Data sources for Authentik
data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
}

data "authentik_certificate_key_pair" "default" {
  name = "authentik Self-signed Certificate"
}

data "authentik_flow" "default_invalidation_flow" {
  slug = "default-invalidation-flow"
}

# custom resource mapping
resource "authentik_property_mapping_provider_scim" "aws_scim_user_mapping" {
  name = "AWS SCIM User Mapping"
  expression = <<EOF
# https://docs.aws.amazon.com/singlesignon/latest/developerguide/createuser.html
#The givenName, familyName, userName, and displayName fields are required.

if " " in request.user.name:
    givenName, _, familyName = request.user.name.partition(" ")
else:
    givenName, familyName = request.user.name, " "

locale = request.user.locale()
if locale == "":
    locale = None

emails = []
if request.user.email != "":
    emails = [{
        "value": request.user.email,
        "type": "other",
        "primary": True,
    }]

return {
    "externalId": request.user.uid,
    "userName": request.user.username,
    "name": {
        "givenName": givenName,
        "familyName": familyName,
    },
    "displayName": request.user.name,
    "locale": locale,
    "active": request.user.is_active,
    "emails": emails,
}
EOF
}

variable "aws_scim_url" {
  type        = string
  description = "AWS SCIM URL"
}

variable "aws_scim_token" {
  type        = string
  description = "AWS SCIM Token"
  sensitive   = true
}