#105 Refactor keycloak-client module

cloudogu · Jan 31, 2025 · 20df39b · 20df39b
1 parent 6369029
commit 20df39b
Show file tree

Hide file tree

Showing 9 changed files with 101 additions and 120 deletions.
diff --git a/terraform/examples/ces_keycloak_gke/.terraform.lock.hcl b/terraform/examples/ces_keycloak_gke/.terraform.lock.hcl
diff --git a/terraform/examples/ces_keycloak_gke/main.tf b/terraform/examples/ces_keycloak_gke/main.tf
@@ -9,8 +9,8 @@ terraform {
       version = ">= 5.31.1"
     }
     keycloak = {
-      source  = "mrparkers/keycloak"
-      version = ">= 4.4"
+      source  = "keycloak/keycloak"
+      version = ">= 5.0.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -91,13 +91,26 @@ provider "keycloak" {
   realm         = var.keycloak_realm_id
 }
 
+resource "random_uuid" "external_cas_openid_client_uuid" {
+  lifecycle {
+    ignore_changes = all
+  }
+}
+
+locals {
+  external_cas_openid_client_id = "ces-${random_uuid.external_cas_openid_client_uuid.result}"
+}
+
 module "keycloak" {
   providers = {
     keycloak = keycloak
   }
-  source                 = "../../keycloak-client-module"
-  ces_fqdn               = google_compute_address.ip_address.address
-  keycloak_client_scopes = var.keycloak_client_scopes
+  source        = "../../keycloak-client-module"
+  realm_id      = "Cloudogu"
+  client_id     = local.external_cas_openid_client_id
+  login_theme   = "cloudogu"
+  client_scopes = var.keycloak_client_scopes
+  ces_fqdn      = google_compute_address.ip_address.address
 }
 
 module "ces" {
@@ -131,8 +144,8 @@ module "ces" {
 
   cas_oidc_enabled                 = true
   cas_oidc_discovery_uri           = "${var.keycloak_url}/realms/${var.keycloak_realm_id}/.well-known/openid-configuration"
-  cas_oidc_client_id               = module.keycloak.external_cas_openid_client_id
-  cas_oidc_client_secret           = module.keycloak.external_cas_openid_client_secret
+  cas_oidc_client_id               = local.external_cas_openid_client_id
+  cas_oidc_client_secret           = module.keycloak.client_secret
   cas_oidc_display_name            = "CAS oidc provider"
   cas_oidc_optional                = var.cas_oidc_optional
   cas_oidc_scopes = concat(["openid"], var.keycloak_client_scopes)

diff --git a/terraform/examples/ces_keycloak_gke/terraform.tfvars.template b/terraform/examples/ces_keycloak_gke/terraform.tfvars.template
@@ -1,6 +1,5 @@
 // For further configuration it is useful to use a separate variable file instead of the file for the secrets.
 gcp_project_name = "my-project"
-gcp_zone         = "europe-west3-c"
 cluster_name     = "keycloak-ces-test-cluster"
 
 keycloak_url = "https://<my-keycloak-domain>/auth"

diff --git a/terraform/keycloak-client-module/README.md b/terraform/keycloak-client-module/README.md
@@ -31,8 +31,7 @@ Configuration:
     - Mapper type: Group Membership
     - Name: groups
     - Token Claim Name: groups
-    - Add to ID token: On (Maybe not needed?)
-    - Add to access token: On (Maybe not needed?)
+    - Add to ID token: On
+    - Add to access token: On
     - Add to userinfo: On
-    - Add to token introspection: On (Maybe not needed?)
-
+    - Add to token introspection: On
diff --git a/...nt-module/ces-service-account-client.json → ...e/ces-service-account-client-example.json b/...nt-module/ces-service-account-client.json → ...e/ces-service-account-client-example.json
@@ -9,7 +9,7 @@
   "enabled": true,
   "alwaysDisplayInConsole": false,
   "clientAuthenticatorType": "client-secret",
-  "secret": "RlFltipEK2Nl18yeVkE60YSQy9m5Zly9",
+  "secret": "REPLACE_ME",
   "redirectUris": [
     "/*"
   ],

diff --git a/terraform/keycloak-client-module/main.tf b/terraform/keycloak-client-module/main.tf
@@ -3,40 +3,30 @@ terraform {
 
   required_providers {
     keycloak = {
-      source  = "mrparkers/keycloak"
-      version = "~> 4.4"
+      source = "keycloak/keycloak"
+      version = ">= 5.0.0"
     }
     random = {
       source  = "hashicorp/random"
-      version = "~> 3.6"
+      version = ">= 3.6"
     }
   }
 }
 
-resource "random_uuid" "external_cas_openid_client_uuid" {
-  lifecycle {
-    ignore_changes = all
-  }
-}
-
-locals {
-  external_cas_openid_client_id = "ces-${random_uuid.external_cas_openid_client_uuid.result}"
-}
-
-resource "random_password" "external_cas_openid_client_secret" {
+resource "random_password" "client_secret" {
   length = 32
   lifecycle {
     ignore_changes = all
   }
 }
 
 resource "keycloak_openid_client" "external_cas_openid_client" {
-  provider  = keycloak
-  realm_id  = var.keycloak_realm_id
-  client_id = local.external_cas_openid_client_id
+  realm_id  = var.realm_id
+  client_id = var.client_id
+  description = var.description
 
   access_type              = "CONFIDENTIAL"
-  client_secret            = random_password.external_cas_openid_client_secret.result
+  client_secret            = random_password.client_secret.result
   standard_flow_enabled    = true
   service_accounts_enabled = true
   authorization {
@@ -53,12 +43,11 @@ resource "keycloak_openid_client" "external_cas_openid_client" {
   ]
   web_origins = ["http://${var.ces_fqdn}"]
   admin_url   = "http://${var.ces_fqdn}/cas"
-  login_theme = "cloudogu"
+  login_theme = var.login_theme
 }
 
 resource "keycloak_openid_client_default_scopes" "external_cas_openid_client_scopes" {
-  provider       = keycloak
-  realm_id       = var.keycloak_realm_id
+  realm_id       = var.realm_id
   client_id      = keycloak_openid_client.external_cas_openid_client.id
-  default_scopes = var.keycloak_client_scopes
-}
+  default_scopes = var.client_scopes
+}
diff --git a/terraform/keycloak-client-module/output.tf b/terraform/keycloak-client-module/output.tf
@@ -1,8 +1,4 @@
-output "external_cas_openid_client_id" {
-  value = local.external_cas_openid_client_id
-}
-
-output "external_cas_openid_client_secret" {
-  value = random_password.external_cas_openid_client_secret.result
+output "client_secret" {
+  value = random_password.client_secret.result
   sensitive = true
 }
diff --git a/terraform/keycloak-client-module/terraform.tfvars.tpl b/terraform/keycloak-client-module/terraform.tfvars.tpl
@@ -1,2 +1,6 @@
 ces_fqdn = ""
-keycloak_url = "<keycloak-url>/auth"
+realm_id = "Cloudogu"
+client_id = ""
+description = ""
+client_scopes = ["email", "groups", "profile"]
+login_theme = "cloudogu"
diff --git a/terraform/keycloak-client-module/variables.tf b/terraform/keycloak-client-module/variables.tf
@@ -1,17 +1,34 @@
-variable "keycloak_realm_id" {
+variable "realm_id" {
   description = "Keycloak realm to be used for the External CAS OpenID client"
-  default = "Cloudogu"
   type = string
+  nullable = false
 }
 
-variable "ces_fqdn" {
-  description = "FQDN or IP address of the CES"
+variable "client_id" {
+  description = "ID of the created keycloak client"
   type = string
   nullable = false
 }
 
-variable "keycloak_client_scopes" {
+variable "description" {
+  description = "Description for the created keycloak client"
+  type = string
+  default = ""
+}
+
+variable "client_scopes" {
   description = "OIDC scopes to add as default scopes in the keycloak client"
   type = list(string)
-  default = ["acr", "email", "groups", "profile", "roles", "web-origins"]
+  default = ["email", "groups", "profile"]
+}
+
+variable "login_theme" {
+  description = "The client login theme. This will override the default theme for the realm."
+  type = string
+}
+
+variable "ces_fqdn" {
+  description = "FQDN or IP address of the CES"
+  type = string
+  nullable = false
 }