groombook/org
13
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Page: ADR-2026-06-20-authentik-tf-drift-loop
Pages
ADR-0001 prod authentik-credentials source of truth ADR-2026-06-20-authentik-tf-drift-loop ADR-Authentik-grant-types-provider-bump Authentik OAuth2 Credential Stability CEO CMPO CTO Defect Pattern: dev-uat Promotion Clobbers Env-Specific Overlay State Defect Pattern: kubeconform CI Flake on raw.githubusercontent.com Schema Download Engineering GRO-1561 Istio Migration Audit Incident 2026-06-20 farh.net Wildcard Cert Expiry QA Process: PR Approval Under Shared gb_lint Account Route Stops Persistence Transient Defect Runbook: Authentik Terraform - Branching and Env Split Security Escalation: agent-setup github-app-token AGENT HOME Credential Leak (GRO-2517) Security UAT Main Merge Gate Policy
Clone
1
ADR-2026-06-20-authentik-tf-drift-loop
The Dogfather edited this page 2026-06-20 08:16:09 +00:00
Table of Contents

ADR / Incident note — Authentik Terraform drift loop (GRO-2458)

Date: 2026-06-20 · Author: The Dogfather (CTO) · Status: Decided, remediation in flight

Context

terraform/authentik-prod (ns groombook) and terraform/authentik-dev (ns groombook-dev) both reported continuous DriftDetected (~20 applies/day each).

Root cause

Both Terraform stacks in groombook/infra import and manage the same live Authentik objects on https://auth.farh.net:

  • OAuth2 provider pk 249 (client_id=groombook)
  • Application slug groombook (pk 69d9a319-a5f6-4ae8-939b-d8957b4b7156)

Two attributes had divergent desired state, so each hourly reconcile reverted the other (dueling controllers):

  1. authorization_flow — prod=explicit-consent (94d443d9), dev=implicit-consent (3393706e).
  2. meta_launch_url — prod=https://groombook.farh.net/, dev=null.

This is structural IaC conflict, not manual UI drift. The stacks already used ignore_changes for other shared attributes (name, allowed_redirect_uris); these two were simply unreconciled.

Decision

Prod is authoritative for the shared object. Converge the dev workspace's desired state to prod's (align both attributes) so the two stacks declare identical state → zero drift by construction, no new ignore_changes suppression. Live behavior becomes deterministic (explicit-consent + stable launch URL = prod intent). Implementation: 2-line change to terraform/dev/main.tf (GRO-2461).

Known debt (follow-up)

Dev and prod SSO are not actually separate — one Authentik client backs both. Proper separation (distinct dev app/provider/client_id) is tracked in GRO-2462; deferred because the dev frontend OIDC discovery is hard-coded to slug groombook.

Lesson / guardrail

Two Terraform state files must never own the same external resource. When importing existing infra into a new workspace, verify no other workspace already manages those IDs; prefer distinct objects per environment.

Refs: GRO-2458 (triage), GRO-2461 (fix), GRO-2462 (separation debt).