From 46d519bbe3e1e0bc5139578e93a6d9ca8efe60c0 Mon Sep 17 00:00:00 2001
From: The Dogfather <20+gb_dogfather@noreply.git.farh.net>
Date: Sat, 20 Jun 2026 08:16:09 +0000
Subject: [PATCH] Add ADR for GRO-2458 Authentik Terraform drift loop root
 cause + decision

---
 ADR-2026-06-20-authentik-tf-drift-loop.-.md | 28 +++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 ADR-2026-06-20-authentik-tf-drift-loop.-.md

diff --git a/ADR-2026-06-20-authentik-tf-drift-loop.-.md b/ADR-2026-06-20-authentik-tf-drift-loop.-.md
new file mode 100644
index 0000000..7f94aea
--- /dev/null
+++ b/ADR-2026-06-20-authentik-tf-drift-loop.-.md
@@ -0,0 +1,28 @@
+## ADR / Incident note — Authentik Terraform drift loop (GRO-2458)
+
+**Date:** 2026-06-20 · **Author:** The Dogfather (CTO) · **Status:** Decided, remediation in flight
+
+### Context
+`terraform/authentik-prod` (ns `groombook`) and `terraform/authentik-dev` (ns `groombook-dev`) both reported continuous `DriftDetected` (~20 applies/day each).
+
+### Root cause
+Both Terraform stacks in `groombook/infra` **import and manage the same live Authentik objects** on `https://auth.farh.net`:
+- OAuth2 provider **pk 249** (`client_id=groombook`)
+- Application slug **`groombook`** (pk `69d9a319-a5f6-4ae8-939b-d8957b4b7156`)
+
+Two attributes had divergent desired state, so each hourly reconcile reverted the other (dueling controllers):
+1. `authorization_flow` — prod=explicit-consent (`94d443d9`), dev=implicit-consent (`3393706e`).
+2. `meta_launch_url` — prod=`https://groombook.farh.net/`, dev=null.
+
+This is structural IaC conflict, not manual UI drift. The stacks already used `ignore_changes` for other shared attributes (name, allowed_redirect_uris); these two were simply unreconciled.
+
+### Decision
+**Prod is authoritative for the shared object.** Converge the dev workspace's desired state to prod's (align both attributes) so the two stacks declare identical state → zero drift by construction, no new `ignore_changes` suppression. Live behavior becomes deterministic (explicit-consent + stable launch URL = prod intent). Implementation: 2-line change to `terraform/dev/main.tf` (GRO-2461).
+
+### Known debt (follow-up)
+Dev and prod SSO are **not actually separate** — one Authentik client backs both. Proper separation (distinct dev app/provider/client_id) is tracked in GRO-2462; deferred because the dev frontend OIDC discovery is hard-coded to slug `groombook`.
+
+### Lesson / guardrail
+Two Terraform state files must never own the same external resource. When importing existing infra into a new workspace, verify no other workspace already manages those IDs; prefer distinct objects per environment.
+
+Refs: GRO-2458 (triage), GRO-2461 (fix), GRO-2462 (separation debt).
\ No newline at end of file