refactor(ops/keycloak): Split out clients & user-sources

Without some kind of physical organisation it's a little difficult to
understand whether things are going "in" (supplying users to Keycloak)
or "out" (getting auth/user info from Keycloak).

Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
This commit is contained in:
Vincent Ambo 2022-01-01 17:46:11 +03:00 committed by tazjin
parent 5e036ed9fc
commit 5a6f984222
3 changed files with 113 additions and 106 deletions

92
ops/keycloak/clients.tf Normal file
View file

@ -0,0 +1,92 @@
# All Keycloak clients, that is applications which authenticate
# through Keycloak.
#
# Includes first-party (i.e. TVL-hosted) and third-party clients.
resource "keycloak_openid_client" "grafana" {
realm_id = keycloak_realm.tvl.id
client_id = "grafana"
name = "Grafana"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
base_url = "https://status.tvl.su"
valid_redirect_uris = [
"https://status.tvl.su/*",
]
}
resource "keycloak_openid_client" "gerrit" {
realm_id = keycloak_realm.tvl.id
client_id = "gerrit"
name = "TVL Gerrit"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
base_url = "https://cl.tvl.fyi"
description = "TVL's code review tool"
direct_access_grants_enabled = true
exclude_session_state_from_auth_response = false
valid_redirect_uris = [
"https://cl.tvl.fyi/*",
]
web_origins = [
"https://cl.tvl.fyi",
]
}
resource "keycloak_saml_client" "buildkite" {
realm_id = keycloak_realm.tvl.id
client_id = "https://buildkite.com"
name = "Buildkite"
base_url = "https://buildkite.com/sso/tvl"
client_signature_required = false
assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
valid_redirect_uris = [
"https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
]
}
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
realm_id = keycloak_realm.tvl.id
client_id = keycloak_saml_client.buildkite.id
name = "buildkite-email-mapper"
user_attribute = "email"
saml_attribute_name = "email"
saml_attribute_name_format = "Unspecified"
}
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
realm_id = keycloak_realm.tvl.id
client_id = keycloak_saml_client.buildkite.id
name = "buildkite-name-mapper"
user_attribute = "displayName"
saml_attribute_name = "name"
saml_attribute_name_format = "Unspecified"
}
resource "keycloak_openid_client" "oauth2_proxy" {
realm_id = keycloak_realm.tvl.id
client_id = "oauth2-proxy"
name = "TVL OAuth2 Proxy"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://login.tvl.fyi/oauth2/callback",
"http://localhost:4774/oauth2/callback",
]
}
resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
realm_id = keycloak_realm.tvl.id
client_id = keycloak_openid_client.oauth2_proxy.id
name = "oauth2-proxy-audience"
included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
}

View file

@ -32,109 +32,3 @@ resource "keycloak_realm" "tvl" {
display_name = "The Virus Lounge"
default_signature_algorithm = "RS256"
}
resource "keycloak_ldap_user_federation" "tvl_ldap" {
name = "tvl-ldap"
realm_id = keycloak_realm.tvl.id
enabled = true
connection_url = "ldap://localhost"
users_dn = "ou=users,dc=tvl,dc=fyi"
username_ldap_attribute = "cn"
uuid_ldap_attribute = "cn"
rdn_ldap_attribute = "cn"
full_sync_period = 86400
trust_email = true
user_object_classes = [
"inetOrgPerson",
"organizationalPerson",
]
}
resource "keycloak_openid_client" "oauth2_proxy" {
realm_id = keycloak_realm.tvl.id
client_id = "oauth2-proxy"
name = "TVL OAuth2 Proxy"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://login.tvl.fyi/oauth2/callback",
"http://localhost:4774/oauth2/callback",
]
}
resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
realm_id = keycloak_realm.tvl.id
client_id = keycloak_openid_client.oauth2_proxy.id
name = "oauth2-proxy-audience"
included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
}
resource "keycloak_openid_client" "grafana" {
realm_id = keycloak_realm.tvl.id
client_id = "grafana"
name = "Grafana"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
base_url = "https://status.tvl.su"
valid_redirect_uris = [
"https://status.tvl.su/*",
]
}
resource "keycloak_openid_client" "gerrit" {
realm_id = keycloak_realm.tvl.id
client_id = "gerrit"
name = "TVL Gerrit"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
base_url = "https://cl.tvl.fyi"
description = "TVL's code review tool"
direct_access_grants_enabled = true
exclude_session_state_from_auth_response = false
valid_redirect_uris = [
"https://cl.tvl.fyi/*",
]
web_origins = [
"https://cl.tvl.fyi",
]
}
resource "keycloak_saml_client" "buildkite" {
realm_id = keycloak_realm.tvl.id
client_id = "https://buildkite.com"
name = "Buildkite"
base_url = "https://buildkite.com/sso/tvl"
client_signature_required = false
assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
valid_redirect_uris = [
"https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
]
}
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
realm_id = keycloak_realm.tvl.id
client_id = keycloak_saml_client.buildkite.id
name = "buildkite-email-mapper"
user_attribute = "email"
saml_attribute_name = "email"
saml_attribute_name_format = "Unspecified"
}
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
realm_id = keycloak_realm.tvl.id
client_id = keycloak_saml_client.buildkite.id
name = "buildkite-name-mapper"
user_attribute = "displayName"
saml_attribute_name = "name"
saml_attribute_name_format = "Unspecified"
}

View file

@ -0,0 +1,21 @@
# All user sources, that is services from which Keycloak gets user
# information (either by accessing a system like LDAP or integration
# through protocols like OIDC).
resource "keycloak_ldap_user_federation" "tvl_ldap" {
name = "tvl-ldap"
realm_id = keycloak_realm.tvl.id
enabled = true
connection_url = "ldap://localhost"
users_dn = "ou=users,dc=tvl,dc=fyi"
username_ldap_attribute = "cn"
uuid_ldap_attribute = "cn"
rdn_ldap_attribute = "cn"
full_sync_period = 86400
trust_email = true
user_object_classes = [
"inetOrgPerson",
"organizationalPerson",
]
}