authentik_policy_binding cannot bind expression policy to a stage

[fayak]

Hi,

I'm trying to follow https://goauthentik.io/integrations/sources/google/#username-mapping as code. I came up with this:

resource "authentik_policy_expression" "username" {
  name       = "username"
  expression = <<EOT
email = request.context["prompt_data"]["email"]
request.context["prompt_data"]["username"] = email[0] + email.split('@')[0].split('.')[1]
return False
EOT
}

data "authentik_stage" "default-source-enrollment-prompt" {
    name = "default-source-enrollment-prompt"
}

resource "authentik_policy_binding" "username-enrollment" {
     target = data.authentik_stage.default-source-enrollment-prompt.id
     policy = authentik_policy_expression.username.id
     order  = 0
}

The authentik_policy_binding doesn't seems to like my target argument. I tried creating manually the binding, and importing it, I now have an ID for target that doesn't match anything. I tried dumping authentik DB to see where this ID is mentioned, and it's mentioned only once, in the table public.authentik_flows_flowstagebinding.

I think there is no way to bind an expression policy to a stage currently

[BeryJu]

You cannot bind a policy to a stage in authentik at all, the policy can only be bound to the binding of a stage to a flow. You can use the ID of the flow stage binding as a target in the policy binding: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/resources/flow_stage_binding

[ypyly]

you can bind a policy to the flow stage binding and I assume that's the thing that @fayak was reffering to the problem with that there is no data authentik_flow_stage_binding, so you can only do that to your created authentik_flow_stage_binding