fix(ops/keycloak): redefine buildkite client, correctly this time

This client definition was previously nonsense. What happened is that I accidentally imported the client as an OIDC client, which Keycloak accepted because apparently those are the same entities on the API level, and that ended up getting mangled into some broken hybrid shape by Terraform. This sets up the Buildkite provider again but with the correct SAML configuration this time. Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
2021-12-28 15:38:33 +03:00 · 2021-12-28 15:38:33 +03:00 · b763f183f7
commit b763f183f7
parent 666a944c59
1 changed files with 27 additions and 16 deletions
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@ -107,23 +107,34 @@ resource "keycloak_openid_client" "gerrit" {
  ]
 }

-resource "keycloak_openid_client" "buildkite" {
-  realm_id                                 = keycloak_realm.tvl.id
-  client_id                                = "https://buildkite.com"
-  name                                     = "Buildkite"
-  enabled                                  = true
-  access_type                              = "CONFIDENTIAL"
-  standard_flow_enabled                    = true
-  base_url                                 = "https://buildkite.com/sso/tvl"
-  direct_access_grants_enabled             = false
-  exclude_session_state_from_auth_response = false
-  backchannel_logout_session_required      = false
+resource "keycloak_saml_client" "buildkite" {
+  realm_id  = keycloak_realm.tvl.id
+  client_id = "https://buildkite.com"
+  name      = "Buildkite"
+  base_url  = "https://buildkite.com/sso/tvl"
+
+  client_signature_required   = false
+  assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"

  valid_redirect_uris = [
-    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume",
-  ]
-
-  web_origins = [
-    "https://buildkite.com",
+    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
  ]
 }
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-email-mapper"
+  user_attribute             = "email"
+  saml_attribute_name        = "email"
+  saml_attribute_name_format = "Unspecified"
+}
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-name-mapper"
+  user_attribute             = "displayName"
+  saml_attribute_name        = "name"
+  saml_attribute_name_format = "Unspecified"
+}