Skip to content

Bug report: authentik_stage_authenticator_validate does not persist not_configured_action = "deny" (always reverts to "skip") #802

New issue
New issue
Open
Open
Bug report: authentik_stage_authenticator_validate does not persist not_configured_action = "deny" (always reverts to "skip")#802
@tutomun

Description

@tutomun
tutomun
opened on Dec 8, 2025

authentik_stage_authenticator_validate: not_configured_action = "deny" not persisted — always read back as "skip"

Summary

When defining an authentik_stage_authenticator_validate resource with:

not_configured_action = "deny"

Terraform applies successfully, but Authentik does not persist the value.
The Authentik UI continues to show “Continue” (i.e., "skip"), and every terraform plan reports a drift:

~ not_configured_action = "skip" -> "deny"

Only after manually changing the value to “Deny the user access” in the Authentik UI does Terraform finally read the correct value and report no further changes.

This appears to be a provider-side or API-side bug affecting the persistence or retrieval of not_configured_action.

Environment

Authentik

  • Version: 2025.10.2
  • Running in Kubernetes (Debian 13 (trixie) host nodes)

Terraform

  • Version: v1.14.1
  • Host OS: Debian GNU/Linux 12 (bookworm)
    (linux_arm64)

Terraform Provider

  • authentik provider: 2025.10.1

Terraform Configuration

resource "authentik_stage_authenticator_validate" "passwordless_webauthn_mfa" {
  name                       = "passwordless-webauthn-mfa"
  not_configured_action      = "deny"

  device_classes             = ["webauthn"]
  last_auth_threshold        = "seconds=0"
  webauthn_user_verification = "required"
}

data "authentik_stage" "default_authentication_login" {
  name = "default-authentication-login"
}

Actual Behavior

Running terraform apply succeeds, but the value does not persist in Authentik.

Authentik UI still shows:

Not configured action: Continue

Terraform then reports drift on every plan:

~ not_configured_action = "skip" -> "deny"

After updating the stage manually in the UI to “Deny the user access”, the value is stored correctly, and:

  • Terraform reads back deny
  • terraform plan reports no changes

Expected Behavior

  • Terraform should set not_configured_action = "deny" correctly.
  • Authentik UI should reflect the correct value after apply.
  • No recurring diffs should appear after a successful apply.

Steps to Reproduce

  1. Create a validation stage with the config above.

  2. Run:

    terraform apply

  3. Check the stage in the Authentik UI — it still shows Continue.

  4. Run:

    terraform plan

    → drift appears: "skip" -> "deny"

  5. Manually set “Deny the user access” in the UI.

  6. Re-run terraform planno diff.

Notes

  • Other attributes in this resource behave normally.
  • This issue affects only the not_configured_action field.
  • Suspect: provider not sending value, or incorrectly mapping API responses to "skip".

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions