keycloak.tf 27.1 KB
Newer Older
1
2
3
4
5
6
terraform {
  backend "pg" {
    schema_name = "terraform_remote_state_stage2"
  }
}

7
data "external" "vault_keycloak" {
8
  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_keycloak.yml",
9
10
11
12
    "vault_keycloak_admin_user",
    "vault_keycloak_admin_password",
    "vault_keycloak_smtp_user",
    "vault_keycloak_smtp_password",
13
  "--format", "json"]
14
15
}

16
data "external" "vault_google" {
17
  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_google.yml",
18
19
    "vault_google_recaptcha_site_key",
    "vault_google_recaptcha_secret_key",
20
  "--format", "json"]
21
22
}

23
data "external" "vault_github" {
24
  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_github.yml",
25
26
    "vault_github_oauth_app_client_id",
    "vault_github_oauth_app_client_secret",
27
  "--format", "json"]
28
29
}

Jelle van der Waa's avatar
Jelle van der Waa committed
30
data "external" "vault_monitoring" {
31
  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_monitoring.yml",
Jelle van der Waa's avatar
Jelle van der Waa committed
32
    "vault_monitoring_grafana_client_secret",
33
  "--format", "json"]
Jelle van der Waa's avatar
Jelle van der Waa committed
34
35
}

36
data "external" "vault_hedgedoc" {
37
  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_hedgedoc.yml",
38
39
40
41
    "vault_hedgedoc_client_secret",
  "--format", "json"]
}

42
data "external" "vault_matrix" {
43
  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_matrix.yml",
44
45
46
47
    "vault_matrix_openid_client_secret",
  "--format", "json"]
}

48
49
provider "keycloak" {
  client_id = "admin-cli"
50
51
52
  username  = data.external.vault_keycloak.result.vault_keycloak_admin_user
  password  = data.external.vault_keycloak.result.vault_keycloak_admin_password
  url       = "https://accounts.archlinux.org"
53
54
55
56
}

variable "gitlab_instance" {
  default = {
57
    root_url          = "https://gitlab.archlinux.org"
58
59
60
61
    saml_redirect_url = "https://gitlab.archlinux.org/users/auth/saml/callback"
  }
}

62
resource "keycloak_realm" "archlinux" {
63
64
65
66
  realm             = "archlinux"
  enabled           = true
  remember_me       = true
  display_name      = "Arch Linux"
67
  display_name_html = "<div class=\"kc-logo-text\"><span>Arch Linux</span></div>"
68

69
  registration_allowed     = true
70
71
  reset_password_allowed   = true
  verify_email             = true
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
72
  login_with_email_allowed = true
73
  password_policy          = "length(8) and notUsername"
74
75
76
77

  web_authn_policy {
    relying_party_entity_name = "Arch Linux SSO"
    relying_party_id          = "accounts.archlinux.org"
78
    signature_algorithms      = ["ES256", "RS256", "ES512", "RS512"]
79
  }
80

81
  login_theme   = "archlinux"
82
  account_theme = "archlinux"
83
  admin_theme   = "archlinux"
84

85
86
  browser_flow           = "Arch Browser"
  registration_flow      = "Arch Registration"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
87
  reset_credentials_flow = "Arch Reset Credentials"
88

89
  smtp_server {
90
91
    host              = "mail.archlinux.org"
    from              = "accounts@archlinux.org"
92
    port              = "465"
93
    from_display_name = "Arch Linux Accounts"
94
95
    ssl               = true
    starttls          = false
96
97

    auth {
98
99
      username = data.external.vault_keycloak.result.vault_keycloak_smtp_user
      password = data.external.vault_keycloak.result.vault_keycloak_smtp_password
100
101
    }
  }
102
103

  security_defenses {
104
105
106
107
108
109
110
111
112
    headers {
      x_frame_options                     = "ALLOW-FROM https://www.google.com"
      content_security_policy             = "frame-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none';"
      content_security_policy_report_only = ""
      x_content_type_options              = "nosniff"
      x_robots_tag                        = "none"
      x_xss_protection                    = "1; mode=block"
      strict_transport_security           = "max-age=31536000; includeSubDomains"
    }
113
    brute_force_detection {
114
115
116
117
118
119
120
      permanent_lockout                = false
      max_login_failures               = 30
      wait_increment_seconds           = 60
      quick_login_check_milli_seconds  = 1000
      minimum_quick_login_wait_seconds = 60
      max_failure_wait_seconds         = 900
      failure_reset_time_seconds       = 43200
121
122
    }
  }
123
124
}

125
126
127
128
129
130
131
132
resource "keycloak_required_action" "custom-terms-and-conditions" {
  realm_id       = "archlinux"
  alias          = "terms_and_conditions"
  default_action = true
  enabled        = true
  name           = "Terms and Conditions"
}

133
resource "keycloak_required_action" "configure_otp" {
134
135
136
137
138
  realm_id = "archlinux"
  alias    = "CONFIGURE_TOTP"
  enabled  = true
  name     = "Configure OTP"
  priority = 0
139
140
141
}

resource "keycloak_required_action" "update_password" {
142
143
144
145
146
  realm_id = "archlinux"
  alias    = "UPDATE_PASSWORD"
  enabled  = true
  name     = "Update Password"
  priority = 20
147
148
149
}

resource "keycloak_required_action" "update_profile" {
150
151
152
153
154
  realm_id = "archlinux"
  alias    = "UPDATE_PROFILE"
  enabled  = true
  name     = "Update Profile"
  priority = 30
155
156
157
}

resource "keycloak_required_action" "verify_email" {
158
159
160
161
162
  realm_id = "archlinux"
  alias    = "VERIFY_EMAIL"
  enabled  = true
  name     = "Verify Email"
  priority = 40
163
164
165
}

resource "keycloak_required_action" "update_user_locale" {
166
167
168
169
170
  realm_id = "archlinux"
  alias    = "update_user_locale"
  enabled  = true
  name     = "Update User Locale"
  priority = 50
171
172
173
}

resource "keycloak_required_action" "webauthn_register" {
174
175
176
177
178
  realm_id = "archlinux"
  alias    = "webauthn-register"
  enabled  = true
  name     = "Webauthn Register"
  priority = 60
179
}
Kristian Klausen's avatar
Kristian Klausen committed
180

181
182
183
resource "keycloak_realm_events" "realm_events" {
  realm_id = "archlinux"

184
185
  events_enabled    = true
  events_expiration = 7889238 # 3 months
186
187
188
189
190
191
192
193
194

  admin_events_enabled         = true
  admin_events_details_enabled = true

  # When omitted or left empty, keycloak will enable all event types
  enabled_event_types = [
  ]

  events_listeners = [
195
    "jboss-logging",    # keycloak enables the 'jboss-logging' event listener by default.
196
    "metrics-listener", # enable the prometheus exporter (keycloak-metrics-spi)
197
198
199
  ]
}

200
resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
201
202
203
204
205
206
207
208
  realm                        = "archlinux"
  alias                        = "github"
  provider_id                  = "github"
  authorization_url            = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
  client_id                    = data.external.vault_github.result.vault_github_oauth_app_client_id
  client_secret                = data.external.vault_github.result.vault_github_oauth_app_client_secret
  token_url                    = ""
  default_scopes               = ""
209
  post_broker_login_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
210
  enabled                      = true
211
212
213
  trust_email                  = false
  store_token                  = false
  backchannel_supported        = false
214
215
216
217
218
  extra_config = {
    syncMode = "IMPORT"
  }
}

219
resource "keycloak_saml_client" "saml_gitlab" {
220
  realm_id  = "archlinux"
221
222
  client_id = "saml_gitlab"

223
  name    = "Arch Linux Accounts"
224
225
  enabled = true

226
  signature_algorithm = "RSA_SHA256"
227
228
  sign_documents      = true
  sign_assertions     = true
229
230
231
232
233

  valid_redirect_uris = [
    var.gitlab_instance.saml_redirect_url
  ]

234
235
  root_url                   = var.gitlab_instance.root_url
  base_url                   = "/"
236
  master_saml_processing_url = var.gitlab_instance.saml_redirect_url
237
238
239
240
241
  idp_initiated_sso_url_name = "saml_gitlab"

  assertion_consumer_post_url = var.gitlab_instance.saml_redirect_url
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
242
243
244
// This client is only used for the return URL redirect hack!
// See roles/gitlab/tasks/main.yml
resource "keycloak_openid_client" "openid_gitlab" {
245
  realm_id  = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
246
247
  client_id = "openid_gitlab"

248
  name    = "Arch Linux Accounts"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
249
250
  enabled = true

251
  access_type           = "PUBLIC"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
252
  standard_flow_enabled = true
253
  full_scope_allowed    = false
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
254
255
256
257
258
  valid_redirect_uris = [
    "https://gitlab.archlinux.org"
  ]
}

259
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
260
  realm_id  = "archlinux"
261
262
  client_id = keycloak_saml_client.saml_gitlab.id

263
264
265
266
  name                       = "email"
  user_property              = "Email"
  friendly_name              = "Email"
  saml_attribute_name        = "email"
267
268
269
270
  saml_attribute_name_format = "Basic"
}

resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name" {
271
  realm_id  = "archlinux"
272
273
  client_id = keycloak_saml_client.saml_gitlab.id

274
275
276
277
  name                       = "first_name"
  user_property              = "FirstName"
  friendly_name              = "First Name"
  saml_attribute_name        = "first_name"
278
279
280
281
  saml_attribute_name_format = "Basic"
}

resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_last_name" {
282
  realm_id  = "archlinux"
283
284
  client_id = keycloak_saml_client.saml_gitlab.id

285
286
287
288
  name                       = "last_name"
  user_property              = "LastName"
  friendly_name              = "Last Name"
  saml_attribute_name        = "last_name"
289
290
291
292
  saml_attribute_name_format = "Basic"
}

resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_username" {
293
  realm_id  = "archlinux"
294
295
  client_id = keycloak_saml_client.saml_gitlab.id

296
297
298
299
  name                       = "username"
  user_property              = "Username"
  friendly_name              = "Username"
  saml_attribute_name        = "username"
300
301
302
  saml_attribute_name_format = "Basic"
}

303
304
305
306
307
308
// This is the super group in which we put the other Arch groups.
// We want to end up with this structure:
// Arch Linux Staff
// |- DevOps
// |- Developers
// |- Trusted Users
Jelle van der Waa's avatar
Jelle van der Waa committed
309
// |- Wiki
310
// |  |- Admins
311
// |  |- Maintainers
Jelle van der Waa's avatar
Jelle van der Waa committed
312
// |- Forum
313
314
// |  |- Admins
// |  |- Mods
Jelle van der Waa's avatar
Jelle van der Waa committed
315
// |- Security Team
316
317
318
319
// |  |- Admins
// |  |- Members
// |- IRC
// |  |- Ops
Jelle van der Waa's avatar
Jelle van der Waa committed
320
// |- Archweb
321
322
// |  |- Mirrorlist Maintainers
// |- Bug Wranglers
323
// External Contributors
324
325
326
327
// |- Security Team
// |  |- Reporters
// |- Archweb
//    |- Testers
328
resource "keycloak_group" "staff" {
329
  realm_id = "archlinux"
330
  name     = "Arch Linux Staff"
331
332
}

333
334
335
resource "keycloak_group" "staff_groups" {
  for_each = toset(["DevOps", "Developers", "Trusted Users", "Wiki", "Forum", "Security Team", "IRC", "Archweb", "Bug Wranglers"])

336
  realm_id  = "archlinux"
337
  parent_id = keycloak_group.staff.id
338
  name      = each.value
339
340
}

341
resource "keycloak_group" "staff_wiki_groups" {
342
  for_each = toset(["Admins", "Maintainers"])
Jelle van der Waa's avatar
Jelle van der Waa committed
343

344
  realm_id  = "archlinux"
345
  parent_id = keycloak_group.staff_groups["Wiki"].id
346
  name      = each.value
Jelle van der Waa's avatar
Jelle van der Waa committed
347
348
}

349
350
resource "keycloak_group" "staff_forum_groups" {
  for_each = toset(["Admins", "Mods"])
Jelle van der Waa's avatar
Jelle van der Waa committed
351

352
  realm_id  = "archlinux"
353
  parent_id = keycloak_group.staff_groups["Forum"].id
354
  name      = each.value
Jelle van der Waa's avatar
Jelle van der Waa committed
355
356
}

357
358
359
resource "keycloak_group" "staff_securityteam_groups" {
  for_each = toset(["Admins", "Members"])

360
  realm_id  = "archlinux"
361
  parent_id = keycloak_group.staff_groups["Security Team"].id
362
  name      = each.value
363
364
}

365
366
resource "keycloak_group" "staff_irc_groups" {
  for_each = toset(["Ops"])
367

368
  realm_id  = "archlinux"
369
  parent_id = keycloak_group.staff_groups["IRC"].id
370
  name      = each.value
371
372
}

373
374
resource "keycloak_group" "staff_archweb_groups" {
  for_each = toset(["Mirrorlist Maintainers"])
Jelle van der Waa's avatar
Jelle van der Waa committed
375

376
  realm_id  = "archlinux"
377
  parent_id = keycloak_group.staff_groups["Archweb"].id
378
  name      = each.value
Jelle van der Waa's avatar
Jelle van der Waa committed
379
380
}

381
382
resource "keycloak_group" "externalcontributors" {
  realm_id = "archlinux"
383
  name     = "External Contributors"
384
385
386
387
}

resource "keycloak_group" "externalcontributors_groups" {
  for_each = toset(["Security Team", "Archweb"])
Jelle van der Waa's avatar
Jelle van der Waa committed
388

389
  realm_id  = "archlinux"
390
  parent_id = keycloak_group.externalcontributors.id
391
  name      = each.value
Jelle van der Waa's avatar
Jelle van der Waa committed
392
393
}

394
395
resource "keycloak_group" "externalcontributors_securityteam_groups" {
  for_each = toset(["Reporters"])
Jelle van der Waa's avatar
Jelle van der Waa committed
396

397
  realm_id  = "archlinux"
398
  parent_id = keycloak_group.externalcontributors_groups["Security Team"].id
399
  name      = each.value
Jelle van der Waa's avatar
Jelle van der Waa committed
400
401
}

402
403
resource "keycloak_group" "externalcontributors_archweb_groups" {
  for_each = toset(["Testers"])
Jelle van der Waa's avatar
Jelle van der Waa committed
404

405
  realm_id  = "archlinux"
406
  parent_id = keycloak_group.externalcontributors_groups["Archweb"].id
407
  name      = each.value
Jelle van der Waa's avatar
Jelle van der Waa committed
408
409
}

410
resource "keycloak_role" "devops" {
411
412
  realm_id    = "archlinux"
  name        = "DevOps"
413
  description = "Role held by members of the DevOps group"
414
415
}

416
resource "keycloak_role" "staff" {
417
418
  realm_id    = "archlinux"
  name        = "Staff"
419
420
421
  description = "Role held by all Arch Linux staff"
}

422
resource "keycloak_role" "externalcontributor" {
423
424
  realm_id    = "archlinux"
  name        = "External Contributor"
425
426
427
  description = "Role held by external contributors working on Arch Linux projects without further access"
}

428
resource "keycloak_group_roles" "devops" {
429
  realm_id = "archlinux"
430
  group_id = keycloak_group.staff_groups["DevOps"].id
431
  role_ids = [
432
    keycloak_role.devops.id
433
434
435
  ]
}

436
437
438
439
resource "keycloak_group_roles" "staff" {
  realm_id = "archlinux"
  group_id = keycloak_group.staff.id
  role_ids = [
440
    keycloak_role.staff.id
441
442
443
  ]
}

444
resource "keycloak_group_roles" "externalcontributor" {
445
  realm_id = "archlinux"
446
  group_id = keycloak_group.externalcontributors.id
447
  role_ids = [
448
    keycloak_role.externalcontributor.id
449
450
451
  ]
}

452
453
// Add new custom registration flow with reCAPTCHA
resource "keycloak_authentication_flow" "arch_registration_flow" {
454
455
  realm_id    = "archlinux"
  alias       = "Arch Registration"
456
457
458
459
  description = "Customized Registration flow that forces enables ReCAPTCHA."
}

resource "keycloak_authentication_subflow" "registration_form" {
460
461
  realm_id          = "archlinux"
  alias             = "Registration Form"
462
  parent_flow_alias = keycloak_authentication_flow.arch_registration_flow.alias
463
464
465
  provider_id       = "form-flow"
  authenticator     = "registration-page-form"
  requirement       = "REQUIRED"
466
467
468
}

resource "keycloak_authentication_execution" "registration_user_creation" {
469
  realm_id          = "archlinux"
470
  parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
471
472
  authenticator     = "registration-user-creation"
  requirement       = "REQUIRED"
473
474
475
}

resource "keycloak_authentication_execution" "registration_profile_action" {
476
  realm_id          = "archlinux"
477
  parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
478
479
480
  authenticator     = "registration-profile-action"
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_execution.registration_user_creation]
481
482
483
}

resource "keycloak_authentication_execution" "registration_password_action" {
484
  realm_id          = "archlinux"
485
  parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
486
487
488
  authenticator     = "registration-password-action"
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_execution.registration_profile_action]
489
490
491
}

resource "keycloak_authentication_execution" "registration_recaptcha_action" {
492
  realm_id          = "archlinux"
493
  parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
494
495
496
  authenticator     = "registration-recaptcha-action"
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_execution.registration_password_action]
497
498
499
}

resource "keycloak_authentication_execution_config" "registration_recaptcha_action_config" {
500
501
  realm_id     = "archlinux"
  alias        = "reCAPTCHA config"
502
503
504
  execution_id = keycloak_authentication_execution.registration_recaptcha_action.id
  config = {
    "useRecaptchaNet" = "false",
505
506
    "site.key"        = data.external.vault_google.result.vault_google_recaptcha_site_key
    "secret"          = data.external.vault_google.result.vault_google_recaptcha_secret_key
507
508
509
  }
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
510
// Add new custom browser login flow with WebAuthn support and forced OTP.
511
//
512
513
// Try misc/kcadm_wrapper.sh get authentication/flows/{{ your flow alias}}/executions
// to make this a whole lot easier.
514
515
516
// NOTE: We use the `depends_on` calls to properly order the executions and subflows inside the
// flow. This has to be done until https://github.com/mrparkers/terraform-provider-keycloak/issues/296
// is fixed. :(
517
518
519
520
521
// We want to end up with something like this:
//
// Arch Browser flow
// |- Cookie (A)
// |- Identity Provider Redirector (A)
Kristian Klausen's avatar
Kristian Klausen committed
522
// |- Password and 2FA Subflow (A)
523
//   |- Username Password Form (R)
Kristian Klausen's avatar
Kristian Klausen committed
524
//   |- 2FA Subflow (R)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
525
526
527
528
//      |- WebAuthn Authenticator (A)
//      |- OTP Form (A)
//      |- OTP Default Subflow (A)
//         |- OTP Form (R)
529
530
531
532
533
//
// IMPORTANT NOTE: Sometimes when changing Authentication Flows via Terraform or UI, flows can become orphaned in which
// case they'll hang around the database doing nothing useful and blocking alias names and causing 409 CONFLICTS. If such
// a thing happens, you'll have to get dirty and and manually clean up the authentication_flows and authentication_executions
// tables on the Keycloak Postgres DB! Quality Red Hat software right there.
534

535
resource "keycloak_authentication_flow" "arch_browser_flow" {
536
537
  realm_id    = "archlinux"
  alias       = "Arch Browser"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
538
  description = "Customized Browser flow that forces 2FA."
539
540
541
}

resource "keycloak_authentication_execution" "cookie" {
542
  realm_id          = "archlinux"
543
  parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
544
545
546
  authenticator     = "auth-cookie"
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_flow.arch_browser_flow]
547
548
549
}

resource "keycloak_authentication_execution" "identity_provider_redirector" {
550
  realm_id          = "archlinux"
551
  parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
552
553
554
  authenticator     = "identity-provider-redirector"
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.cookie]
555
556
}

Kristian Klausen's avatar
Kristian Klausen committed
557
resource "keycloak_authentication_subflow" "password_and_2fa" {
558
559
  realm_id          = "archlinux"
  alias             = "Password and 2FA subflow"
560
  parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
561
562
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.identity_provider_redirector]
563
564
565
}

resource "keycloak_authentication_execution" "username_password_form" {
566
  realm_id          = "archlinux"
Kristian Klausen's avatar
Kristian Klausen committed
567
  parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
568
569
  authenticator     = "auth-username-password-form"
  requirement       = "REQUIRED"
570
571
}

Kristian Klausen's avatar
Kristian Klausen committed
572
resource "keycloak_authentication_subflow" "_2fa" {
573
574
  realm_id          = "archlinux"
  alias             = "2FA subflow"
Kristian Klausen's avatar
Kristian Klausen committed
575
  parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
576
577
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_execution.username_password_form]
578
579
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
580
resource "keycloak_authentication_execution" "webauthn_form" {
581
  realm_id          = "archlinux"
Kristian Klausen's avatar
Kristian Klausen committed
582
  parent_flow_alias = keycloak_authentication_subflow._2fa.alias
583
584
  authenticator     = "webauthn-authenticator"
  requirement       = "ALTERNATIVE"
585
586
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
587
resource "keycloak_authentication_execution" "otp_form" {
588
  realm_id          = "archlinux"
Kristian Klausen's avatar
Kristian Klausen committed
589
  parent_flow_alias = keycloak_authentication_subflow._2fa.alias
590
591
592
  authenticator     = "auth-otp-form"
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.webauthn_form]
Kristian Klausen's avatar
Kristian Klausen committed
593
594
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
595
resource "keycloak_authentication_subflow" "otp_default" {
596
597
  realm_id          = "archlinux"
  alias             = "OTP Default Subflow"
Kristian Klausen's avatar
Kristian Klausen committed
598
  parent_flow_alias = keycloak_authentication_subflow._2fa.alias
599
600
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.otp_form]
601
602
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
603
resource "keycloak_authentication_execution" "otp_default_form" {
604
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
605
  parent_flow_alias = keycloak_authentication_subflow.otp_default.alias
606
607
  authenticator     = "auth-otp-form"
  requirement       = "REQUIRED"
608
609
}

610
611
612
// Add new custom post-Identity Provider login flow with forced OTP for some user roles
//
// Arch Post IPR Flow
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
613
614
615
616
// |- WebAuthn Form (A)
// |- OTP Form (A)
// |- IPR OTP Default Subflow (A)
//    |- OTP Form (R)
617
618

resource "keycloak_authentication_flow" "arch_post_ipr_flow" {
619
620
  realm_id    = "archlinux"
  alias       = "Arch Post IPR Flow"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
621
  description = "Post IPR login flow that forces 2FA."
622
623
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
624
resource "keycloak_authentication_execution" "ipr_webauthn_form" {
625
  realm_id          = "archlinux"
626
  parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
627
628
  authenticator     = "webauthn-authenticator"
  requirement       = "ALTERNATIVE"
629
630
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
631
resource "keycloak_authentication_execution" "ipr_otp_form" {
632
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
633
  parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
634
635
636
  authenticator     = "auth-otp-form"
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.ipr_webauthn_form]
637
638
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
639
resource "keycloak_authentication_subflow" "ipr_otp_default" {
640
641
  realm_id          = "archlinux"
  alias             = "IPR OTP Default Subflow"
642
  parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
643
644
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.ipr_otp_form]
645
646
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
647
resource "keycloak_authentication_execution" "ipr_otp_default_form" {
648
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
649
  parent_flow_alias = keycloak_authentication_subflow.ipr_otp_default.alias
650
651
  authenticator     = "auth-otp-form"
  requirement       = "REQUIRED"
652
653
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
654
655
656
657
658
659
660
661
662
663
664
665
666
// Add new custom Reset Credentials flow that asks users to verify 2FA before resetting their password
//
// Arch Reset Credentials
// |- Choose User (R)
// |- Send Reset Email (R)
// |- Conditional Reset Credentials 2FA Subflow (C)
//    |- Condition - User Configured (R)
//    |- Reset Credentials 2FA Subflow (R)
//       |- WebAuthn Form (A)
//       |- OTP Form (A)
//       |- Reset Credentials OTP Default Subflow (A)
//          |- OTP Form (R)
// |- Reset Password (R)
667

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
668
resource "keycloak_authentication_flow" "arch_reset_credentials_flow" {
669
670
  realm_id    = "archlinux"
  alias       = "Arch Reset Credentials"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
671
  description = "Reset credentials flow that forces 2FA verification before password reset."
Kristian Klausen's avatar
Kristian Klausen committed
672
673
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
674
resource "keycloak_authentication_execution" "rc_choose_user" {
675
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
676
  parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
677
678
  authenticator     = "reset-credentials-choose-user"
  requirement       = "REQUIRED"
679
680
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
681
resource "keycloak_authentication_execution" "rc_reset_email" {
682
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
683
  parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
684
685
686
  authenticator     = "reset-credential-email"
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_execution.rc_choose_user]
687
688
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
689
resource "keycloak_authentication_subflow" "rc_conditional_2fa" {
690
691
  realm_id          = "archlinux"
  alias             = "Conditional Reset Credentials 2FA Subflow"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
692
  parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
693
694
  requirement       = "CONDITIONAL"
  depends_on        = [keycloak_authentication_execution.rc_choose_user]
695
696
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
697
resource "keycloak_authentication_execution" "rc_2fa_condition" {
698
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
699
  parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
700
701
  authenticator     = "conditional-user-configured"
  requirement       = "REQUIRED"
702
703
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
704
resource "keycloak_authentication_subflow" "rc_2fa" {
705
706
  realm_id          = "archlinux"
  alias             = "Reset Credentials 2FA Subflow"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
707
  parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
708
709
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_execution.rc_2fa_condition]
710
711
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
712
resource "keycloak_authentication_execution" "rc_webauthn_form" {
713
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
714
  parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
715
716
  authenticator     = "webauthn-authenticator"
  requirement       = "ALTERNATIVE"
717
718
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
719
resource "keycloak_authentication_execution" "rc_otp_form" {
720
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
721
  parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
722
723
724
  authenticator     = "auth-otp-form"
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.rc_webauthn_form]
Kristian Klausen's avatar
Kristian Klausen committed
725
726
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
727
resource "keycloak_authentication_subflow" "rc_otp_default" {
728
729
  realm_id          = "archlinux"
  alias             = "Reset Credentials OTP Default Subflow"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
730
  parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
731
732
  requirement       = "ALTERNATIVE"
  depends_on        = [keycloak_authentication_execution.rc_otp_form]
733
734
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
735
resource "keycloak_authentication_execution" "rc_otp_default_form" {
736
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
737
  parent_flow_alias = keycloak_authentication_subflow.rc_otp_default.alias
738
739
  authenticator     = "auth-otp-form"
  requirement       = "REQUIRED"
740
741
}

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
742
resource "keycloak_authentication_execution" "rc_reset_password" {
743
  realm_id          = "archlinux"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
744
  parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
745
746
747
  authenticator     = "reset-password"
  requirement       = "REQUIRED"
  depends_on        = [keycloak_authentication_subflow.rc_conditional_2fa]
748
749
}

750
751
output "gitlab_saml_configuration" {
  value = {
752
753
754
755
    issuer                          = keycloak_saml_client.saml_gitlab.client_id
    assertion_consumer_service_url  = var.gitlab_instance.saml_redirect_url
    admin_groups                    = [keycloak_role.devops.name]
    idp_sso_target_url              = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
756
757
758
    signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
  }
}
Jelle van der Waa's avatar
Jelle van der Waa committed
759
760

resource "keycloak_openid_client" "grafana_openid_client" {
761
762
763
  realm_id      = "archlinux"
  client_id     = "openid_grafana"
  client_secret = data.external.vault_monitoring.result.vault_monitoring_grafana_client_secret
Jelle van der Waa's avatar
Jelle van der Waa committed
764

765
  name    = "Grafana"
Jelle van der Waa's avatar
Jelle van der Waa committed
766
767
  enabled = true

768
  access_type           = "CONFIDENTIAL"
Jelle van der Waa's avatar
Jelle van der Waa committed
769
770
771
772
773
774
775
776
  standard_flow_enabled = true
  valid_redirect_uris = [
    "https://monitoring.archlinux.org",
    "https://monitoring.archlinux.org/login/generic_oauth"
  ]
}

resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" {
777
778
779
  realm_id  = "archlinux"
  client_id = keycloak_openid_client.grafana_openid_client.id
  name      = "user realms"
Jelle van der Waa's avatar
Jelle van der Waa committed
780

781
782
783
  claim_name          = "roles"
  multivalued         = true
  add_to_id_token     = false
Jelle van der Waa's avatar
Jelle van der Waa committed
784
785
  add_to_access_token = false
}
786

787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
resource "keycloak_openid_client" "hedgedoc_openid_client" {
  realm_id      = "archlinux"
  client_id     = "openid_hedgedoc"
  client_secret = data.external.vault_hedgedoc.result.vault_hedgedoc_client_secret

  name    = "Hedgedoc"
  enabled = true

  access_type           = "CONFIDENTIAL"
  standard_flow_enabled = true
  valid_redirect_uris = [
    "https://md.archlinux.org/*",
  ]
}

resource "keycloak_openid_user_realm_role_protocol_mapper" "hedgedoc_user_realm_role_mapper" {
  realm_id  = "archlinux"
  client_id = keycloak_openid_client.hedgedoc_openid_client.id
  name      = "user realms"

  claim_name          = "roles"
  multivalued         = true
  add_to_id_token     = false
  add_to_access_token = false
}
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834

resource "keycloak_openid_client" "matrix_openid_client" {
  realm_id      = "archlinux"
  client_id     = "openid_matrix"
  client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret

  name    = "Matrix"
  enabled = true

  access_type           = "CONFIDENTIAL"
  standard_flow_enabled = true
  valid_redirect_uris = [
    "https://matrix.archlinux.org/_synapse/client/oidc/callback"
  ]
}

resource "keycloak_openid_user_realm_role_protocol_mapper" "matrix_user_realm_role_mapper" {
  realm_id  = "archlinux"
  client_id = keycloak_openid_client.matrix_openid_client.id
  name      = "user realms"

  claim_name          = "roles"
  multivalued         = true
835
  add_to_id_token     = true
836
837
  add_to_access_token = false
}