From cdc26ec6b7789574668033507cb52863547588dc Mon Sep 17 00:00:00 2001 From: Jeremias Weber Date: Mon, 27 Jan 2025 16:10:51 +0100 Subject: [PATCH] #105 Create keycloak module --- terraform/keycloak-module/main.tf | 69 +++++++++++++++++++ .../keycloak-module/terraform.tfvars.tpl | 4 ++ terraform/keycloak-module/variables.tf | 29 ++++++++ 3 files changed, 102 insertions(+) create mode 100644 terraform/keycloak-module/main.tf create mode 100644 terraform/keycloak-module/terraform.tfvars.tpl create mode 100644 terraform/keycloak-module/variables.tf diff --git a/terraform/keycloak-module/main.tf b/terraform/keycloak-module/main.tf new file mode 100644 index 0000000..30dfa58 --- /dev/null +++ b/terraform/keycloak-module/main.tf @@ -0,0 +1,69 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + keycloak = { + source = "mrparkers/keycloak" + version = "~> 4.4" + } + random = { + source = "hashicorp/random" + version = "~> 3.6" + } + } +} + +provider "keycloak" { + client_id = var.keycloak_service_account_client_id + client_secret = var.keycloak_service_account_client_secret + url = var.keycloak_url + realm = var.keycloak_realm_id +} + +resource "random_uuid" "external_cas_openid_client_uuid" { + keepers = { + openid_client = keycloak_openid_client.external_cas_openid_client.id + } +} + +locals { + external_cas_openid_client_id = "ces-${random_uuid.external_cas_openid_client_uuid[0].result}" +} + +resource "random_password" "external_cas_openid_client_secret" { + keepers = { + openid_client = keycloak_openid_client.external_cas_openid_client.id + } + length = 32 +} + +resource "keycloak_openid_client" "external_cas_openid_client" { + realm_id = var.keycloak_realm_id + client_id = local.external_cas_openid_client_id + + access_type = "CONFIDENTIAL" + client_secret = random_password.external_cas_openid_client_secret[0].result + standard_flow_enabled = true + service_accounts_enabled = true + authorization { + policy_enforcement_mode = "ENFORCING" + decision_strategy = "UNANIMOUS" + allow_remote_resource_management = true + } + + root_url = "http://${var.ces_fqdn}/cas" + base_url = "http://${var.ces_fqdn}/cas" + valid_redirect_uris = [ + "http://${var.ces_fqdn}/cas/*", + "https://${var.ces_fqdn}/cas/*" + ] + web_origins = ["http://${var.ces_fqdn}"] + admin_url = "http://${var.ces_fqdn}/cas" + login_theme = "cloudogu" +} + +resource "keycloak_openid_client_default_scopes" "external_cas_openid_client_scopes" { + realm_id = var.keycloak_realm_id + client_id = keycloak_openid_client.external_cas_openid_client[0].id + default_scopes = ["acr", "email", "groups", "profile", "roles", "web-origins"] +} \ No newline at end of file diff --git a/terraform/keycloak-module/terraform.tfvars.tpl b/terraform/keycloak-module/terraform.tfvars.tpl new file mode 100644 index 0000000..6cfe150 --- /dev/null +++ b/terraform/keycloak-module/terraform.tfvars.tpl @@ -0,0 +1,4 @@ +ces_fqdn = "" +keycloak_url = "/auth" +keycloak_service_account_client_id = "" +keycloak_service_account_client_secret = "" \ No newline at end of file diff --git a/terraform/keycloak-module/variables.tf b/terraform/keycloak-module/variables.tf new file mode 100644 index 0000000..c6a5378 --- /dev/null +++ b/terraform/keycloak-module/variables.tf @@ -0,0 +1,29 @@ +variable "keycloak_realm_id" { + description = "Keycloak realm to be used for the External CAS OpenID client" + default = "Cloudogu" + type = string +} + +variable "keycloak_url" { + description = "Keycloak URL to use for creating the External CAS OpenID client" + nullable = false + type = string +} + +variable "keycloak_service_account_client_id" { + description = "Keycloak client id to use for creating the External CAS OpenID client" + nullable = false + type = string +} + +variable "keycloak_service_account_client_secret" { + description = "Keycloak client secret to use for creating the External CAS OpenID client" + nullable = false + type = string + sensitive = true +} + +variable "ces_fqdn" { + type = string + nullable = false +} \ No newline at end of file