Bump goauthentik.io/api/v3 from 3.2024123.7 to 3.2025022.5 (#666)

* Bump goauthentik.io/api/v3 from 3.2024123.7 to 3.2025022.5

Bumps [goauthentik.io/api/v3](https://github.com/goauthentik/client-go) from 3.2024123.7 to 3.2025022.5.
- [Release notes](https://github.com/goauthentik/client-go/releases)
- [Changelog](https://github.com/goauthentik/client-go/blob/main/model_version_history.go)
- [Commits](goauthentik/client-go@v3.2024123.7...v3.2025022.5)

---
updated-dependencies:
- dependency-name: goauthentik.io/api/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* update token expiry

* brand: add default flow background and custom CSS

* providers: add dry-run for sync providers

* providers/scim: add compatibility mode

* providers/saml: add authn_context_class_ref_mapping

* events: update webhook mappings for webhook transport

* fix schema

* fix default flow background

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <[email protected]>

Author: dependabot[bot]

docs/data-sources/brand.md

@@ -27,6 +27,8 @@ data "authentik_brand" "authentik-default" {
 
 ### Optional
 
+- `branding_custom_css` (String) Generated.
+- `branding_default_flow_background` (String) Generated.
 - `branding_favicon` (String) Generated.
 - `branding_logo` (String) Generated.
 - `branding_title` (String) Generated.

docs/resources/brand.md

@@ -31,6 +31,8 @@ resource "authentik_brand" "default" {
 ### Optional
 
 - `attributes` (String) JSON format expected. Use jsonencode() to pass objects. Defaults to `{}`.
+- `branding_custom_css` (String)
+- `branding_default_flow_background` (String) Defaults to `/static/dist/assets/images/flow_background.jpg`.
 - `branding_favicon` (String)
 - `branding_logo` (String)
 - `branding_title` (String) Defaults to `authentik`.

docs/resources/event_transport.md

@@ -44,7 +44,8 @@ resource "authentik_event_transport" "transport" {
 ### Optional
 
 - `send_once` (Boolean) Defaults to `true`.
-- `webhook_mapping` (String)
+- `webhook_mapping_body` (String)
+- `webhook_mapping_headers` (String)
 - `webhook_url` (String)
 
 ### Read-Only

docs/resources/provider_google_workspace.md

@@ -23,6 +23,7 @@ description: |-
 
 - `credentials` (String) JSON format expected. Use jsonencode() to pass objects. Defaults to `{}`.
 - `delegated_subject` (String) Defaults to `seconds=0`.
+- `dry_run` (Boolean) Defaults to `false`.
 - `exclude_users_service_account` (Boolean)
 - `filter_group` (String)
 - `group_delete_action` (String) Allowed values:

docs/resources/provider_microsoft_entra.md

@@ -23,6 +23,7 @@ description: |-
 
 ### Optional
 
+- `dry_run` (Boolean) Defaults to `false`.
 - `exclude_users_service_account` (Boolean)
 - `filter_group` (String)
 - `group_delete_action` (String) Allowed values:

docs/resources/provider_saml.md

@@ -47,6 +47,7 @@ resource "authentik_application" "name" {
 - `assertion_valid_not_on_or_after` (String) Defaults to `minutes=5`.
 - `audience` (String) Defaults to ``.
 - `authentication_flow` (String)
+- `authn_context_class_ref_mapping` (String)
 - `default_relay_state` (String) Defaults to ``.
 - `digest_algorithm` (String) Allowed values:
   - `http://www.w3.org/2000/09/xmldsig#sha1`

docs/resources/provider_scim.md

@@ -42,6 +42,12 @@ resource "authentik_provider_scim" "name" {
 
 ### Optional
 
+- `compatibility_mode` (String) Allowed values:
+  - `default`
+  - `aws`
+  - `slack`
+ Defaults to `default`.
+- `dry_run` (Boolean) Defaults to `false`.
 - `exclude_users_service_account` (Boolean)
 - `filter_group` (String)
 - `property_mappings` (List of String)

docs/resources/stage_email.md

@@ -36,7 +36,7 @@ resource "authentik_stage_email" "name" {
 - `subject` (String) Defaults to `authentik`.
 - `template` (String) Defaults to `email/password_reset.html`.
 - `timeout` (Number) Defaults to `30`.
-- `token_expiry` (Number) Defaults to `30`.
+- `token_expiry` (String) Defaults to `minutes=30`.
 - `use_global_settings` (Boolean) Defaults to `true`.
 - `use_ssl` (Boolean)
 - `use_tls` (Boolean)

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.1
 	github.com/stretchr/testify v1.10.0
-	goauthentik.io/api/v3 v3.2024123.7
+	goauthentik.io/api/v3 v3.2025022.6
 )
 
 require (

go.sum

@@ -483,8 +483,8 @@ go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HY
 go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024123.7 h1:vjmEnxXTHGFylJ9kTBFNYy4kcTrUM2hSIt3ja8gNVAY=
-goauthentik.io/api/v3 v3.2024123.7/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025022.6 h1:M5M8Cd/1N7E8KLkvYYh7VdcdKz5nfzjKPFLK+YOtOVg=
+goauthentik.io/api/v3 v3.2025022.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/provider/data_source_brand.go

@@ -37,6 +37,16 @@ func dataSourceBrand() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"branding_default_flow_background": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+			"branding_custom_css": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"flow_authentication": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -105,6 +115,8 @@ func dataSourceBrandRead(ctx context.Context, d *schema.ResourceData, m interfac
 	setWrapper(d, "branding_title", f.BrandingTitle)
 	setWrapper(d, "branding_logo", f.BrandingLogo)
 	setWrapper(d, "branding_favicon", f.BrandingFavicon)
+	setWrapper(d, "branding_default_flow_background", f.BrandingDefaultFlowBackground)
+	setWrapper(d, "branding_custom_css", f.BrandingCustomCss)
 	setWrapper(d, "flow_authentication", f.FlowAuthentication.Get())
 	setWrapper(d, "flow_invalidation", f.FlowInvalidation.Get())
 	setWrapper(d, "flow_recovery", f.FlowRecovery.Get())

internal/provider/resource_brand.go

@@ -39,6 +39,15 @@ func resourceBrand() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"branding_default_flow_background": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "/static/dist/assets/images/flow_background.jpg",
+			},
+			"branding_custom_css": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"branding_favicon": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -101,6 +110,12 @@ func resourceBrandSchemaToModel(d *schema.ResourceData) (*api.BrandRequest, diag
 	if l, ok := d.Get("branding_favicon").(string); ok {
 		m.BrandingFavicon = &l
 	}
+	if l, ok := d.Get("branding_default_flow_background").(string); ok {
+		m.BrandingDefaultFlowBackground = &l
+	}
+	if l, ok := d.Get("branding_custom_css").(string); ok {
+		m.BrandingCustomCss = &l
+	}
 
 	if l, ok := d.Get("flow_authentication").(string); ok {
 		m.FlowAuthentication.Set(&l)
@@ -191,6 +206,8 @@ func resourceBrandRead(ctx context.Context, d *schema.ResourceData, m interface{
 	setWrapper(d, "branding_title", res.BrandingTitle)
 	setWrapper(d, "branding_logo", res.BrandingLogo)
 	setWrapper(d, "branding_favicon", res.BrandingFavicon)
+	setWrapper(d, "branding_default_flow_background", res.BrandingDefaultFlowBackground)
+	setWrapper(d, "branding_custom_css", res.BrandingCustomCss)
 	if res.FlowAuthentication.IsSet() {
 		setWrapper(d, "flow_authentication", res.FlowAuthentication.Get())
 	}

internal/provider/resource_event_transport.go

@@ -33,7 +33,11 @@ func resourceEventTransport() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
-			"webhook_mapping": {
+			"webhook_mapping_body": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"webhook_mapping_headers": {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
@@ -57,8 +61,11 @@ func resourceEventTransportSchemaToModel(d *schema.ResourceData) (*api.Notificat
 		m.WebhookUrl = &w
 	}
 
-	if w, ok := d.Get("webhook_mapping").(string); ok {
-		m.WebhookMapping.Set(&w)
+	if w, ok := d.Get("webhook_mapping_body").(string); ok {
+		m.WebhookMappingBody.Set(&w)
+	}
+	if w, ok := d.Get("webhook_mapping_headers").(string); ok {
+		m.WebhookMappingHeaders.Set(&w)
 	}
 	return &m, nil
 }
@@ -93,7 +100,8 @@ func resourceEventTransportRead(ctx context.Context, d *schema.ResourceData, m i
 	setWrapper(d, "mode", res.Mode)
 	setWrapper(d, "send_once", res.SendOnce)
 	setWrapper(d, "webhook_url", res.WebhookUrl)
-	setWrapper(d, "webhook_mapping", res.WebhookMapping.Get())
+	setWrapper(d, "webhook_mapping_body", res.WebhookMappingBody.Get())
+	setWrapper(d, "webhook_mapping_headers", res.WebhookMappingHeaders.Get())
 	return diags
 }
 

internal/provider/resource_provider_google_workspace.go

@@ -26,6 +26,11 @@ func resourceProviderGoogleWorkspace() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 			},
+			"dry_run": {
+				Type:     schema.TypeBool,
+				Default:  false,
+				Optional: true,
+			},
 
 			"credentials": {
 				Type:             schema.TypeString,
@@ -104,6 +109,9 @@ func resourceProviderGoogleWorkspaceSchemaToProvider(d *schema.ResourceData) (*a
 	if l, ok := d.Get("filter_group").(string); ok {
 		r.FilterGroup = *api.NewNullableString(&l)
 	}
+	if d, dok := d.GetOk("dry_run"); dok {
+		r.DryRun = api.PtrBool(d.(bool))
+	}
 	credentials := make(map[string]interface{})
 	if l, ok := d.Get("credentials").(string); ok && l != "" {
 		err := json.NewDecoder(strings.NewReader(l)).Decode(&credentials)
@@ -151,6 +159,7 @@ func resourceProviderGoogleWorkspaceRead(ctx context.Context, d *schema.Resource
 	setWrapper(d, "user_delete_action", res.UserDeleteAction)
 	setWrapper(d, "group_delete_action", res.GroupDeleteAction)
 	setWrapper(d, "filter_group", res.FilterGroup)
+	setWrapper(d, "dry_run", res.DryRun)
 	localMappings := castSlice[string](d.Get("property_mappings").([]interface{}))
 	if len(localMappings) > 0 {
 		setWrapper(d, "property_mappings", listConsistentMerge(localMappings, res.PropertyMappings))

internal/provider/resource_provider_microsoft_entra.go

@@ -24,6 +24,11 @@ func resourceProviderMicrosoftEntra() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 			},
+			"dry_run": {
+				Type:     schema.TypeBool,
+				Default:  false,
+				Optional: true,
+			},
 			"client_id": {
 				Type:     schema.TypeString,
 				Required: true,
@@ -105,6 +110,9 @@ func resourceProviderMicrosoftEntraSchemaToProvider(d *schema.ResourceData) (*ap
 	if l, ok := d.Get("filter_group").(string); ok {
 		r.FilterGroup = *api.NewNullableString(&l)
 	}
+	if d, dok := d.GetOk("dry_run"); dok {
+		r.DryRun = api.PtrBool(d.(bool))
+	}
 	return &r, nil
 }
 
@@ -145,6 +153,7 @@ func resourceProviderMicrosoftEntraRead(ctx context.Context, d *schema.ResourceD
 	setWrapper(d, "user_delete_action", res.UserDeleteAction)
 	setWrapper(d, "group_delete_action", res.GroupDeleteAction)
 	setWrapper(d, "filter_group", res.FilterGroup)
+	setWrapper(d, "dry_run", res.DryRun)
 	localMappings := castSlice[string](d.Get("property_mappings").([]interface{}))
 	if len(localMappings) > 0 {
 		setWrapper(d, "property_mappings", listConsistentMerge(localMappings, res.PropertyMappings))

internal/provider/resource_provider_saml.go

@@ -103,6 +103,10 @@ func resourceProviderSAML() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"authn_context_class_ref_mapping": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"digest_algorithm": {
 				Type:             schema.TypeString,
 				Optional:         true,
@@ -180,6 +184,9 @@ func resourceProviderSAMLSchemaToProvider(d *schema.ResourceData) *api.SAMLProvi
 	if s, sok := d.GetOk("name_id_mapping"); sok && s.(string) != "" {
 		r.NameIdMapping.Set(api.PtrString(s.(string)))
 	}
+	if s, sok := d.GetOk("authn_context_class_ref_mapping"); sok && s.(string) != "" {
+		r.AuthnContextClassRefMapping.Set(api.PtrString(s.(string)))
+	}
 	if s, sok := d.GetOk("encryption_kp"); sok && s.(string) != "" {
 		r.EncryptionKp.Set(api.PtrString(s.(string)))
 	}
@@ -240,6 +247,9 @@ func resourceProviderSAMLRead(ctx context.Context, d *schema.ResourceData, m int
 	if res.NameIdMapping.IsSet() {
 		setWrapper(d, "name_id_mapping", res.NameIdMapping.Get())
 	}
+	if res.AuthnContextClassRefMapping.IsSet() {
+		setWrapper(d, "authn_context_class_ref_mapping", res.AuthnContextClassRefMapping.Get())
+	}
 	if res.SigningKp.IsSet() {
 		setWrapper(d, "signing_kp", res.SigningKp.Get())
 	}

internal/provider/resource_provider_scim.go

@@ -24,6 +24,11 @@ func resourceProviderSCIM() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 			},
+			"dry_run": {
+				Type:     schema.TypeBool,
+				Default:  false,
+				Optional: true,
+			},
 			"url": {
 				Type:     schema.TypeString,
 				Required: true,
@@ -33,6 +38,13 @@ func resourceProviderSCIM() *schema.Resource {
 				Sensitive: true,
 				Required:  true,
 			},
+			"compatibility_mode": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Default:          api.COMPATIBILITYMODEENUM_DEFAULT,
+				Description:      EnumToDescription(api.AllowedCompatibilityModeEnumEnumValues),
+				ValidateDiagFunc: StringInEnum(api.AllowedCompatibilityModeEnumEnumValues),
+			},
 			"property_mappings": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -67,10 +79,14 @@ func resourceProviderSCIMSchemaToProvider(d *schema.ResourceData) *api.SCIMProvi
 		PropertyMappings:           castSlice[string](d.Get("property_mappings").([]interface{})),
 		PropertyMappingsGroup:      castSlice[string](d.Get("property_mappings_group").([]interface{})),
 		ExcludeUsersServiceAccount: api.PtrBool(d.Get("exclude_users_service_account").(bool)),
+		CompatibilityMode:          api.CompatibilityModeEnum(d.Get("compatibility_mode").(string)).Ptr(),
 	}
 	if l, ok := d.Get("filter_group").(string); ok {
 		r.FilterGroup = *api.NewNullableString(&l)
 	}
+	if d, dok := d.GetOk("dry_run"); dok {
+		r.DryRun = api.PtrBool(d.(bool))
+	}
 	return &r
 }
 
@@ -109,6 +125,8 @@ func resourceProviderSCIMRead(ctx context.Context, d *schema.ResourceData, m int
 	setWrapper(d, "property_mappings_group", listConsistentMerge(localGroupMappings, res.PropertyMappingsGroup))
 	setWrapper(d, "exclude_users_service_account", res.ExcludeUsersServiceAccount)
 	setWrapper(d, "filter_group", res.FilterGroup.Get())
+	setWrapper(d, "dry_run", res.DryRun)
+	setWrapper(d, "compatibility_mode", res.CompatibilityMode)
 	return diags
 }
 

internal/provider/resource_stage_email.go

@@ -66,9 +66,9 @@ func resourceStageEmail() *schema.Resource {
 				Default:  "[email protected]",
 			},
 			"token_expiry": {
-				Type:     schema.TypeInt,
+				Type:     schema.TypeString,
 				Optional: true,
-				Default:  30,
+				Default:  "minutes=30",
 			},
 			"subject": {
 				Type:     schema.TypeString,
@@ -119,7 +119,7 @@ func resourceStageEmailSchemaToProvider(d *schema.ResourceData) *api.EmailStageR
 		r.FromAddress = api.PtrString(h.(string))
 	}
 	if p, pSet := d.GetOk("token_expiry"); pSet {
-		r.TokenExpiry = api.PtrInt32(int32(p.(int)))
+		r.TokenExpiry = api.PtrString(p.(string))
 	}
 	if h, hSet := d.GetOk("subject"); hSet {
 		r.Subject = api.PtrString(h.(string))