Newer
Older
terraform {
backend "pg" {
schema_name = "terraform_remote_state_stage2"
}
}
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_keycloak.yml",
"vault_keycloak_admin_user",
"vault_keycloak_admin_password",
"vault_keycloak_smtp_user",
"vault_keycloak_smtp_password",
"vault_keycloak_gluebuddy_openid_client_secret",
"--format", "json"]
data "external" "vault_hcaptcha" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../misc/vaults/vault_hcaptcha.yml",
"vault_hcaptcha_accounts_archlinux_org_sitekey",
"vault_hcaptcha_secret_key",
"--format", "json"]
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_github.yml",
"vault_github_oauth_app_client_id",
"vault_github_oauth_app_client_secret",
"--format", "json"]
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_monitoring.yml",
"--format", "json"]
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_hedgedoc.yml",
"vault_hedgedoc_client_secret",
"--format", "json"]
}
data "external" "vault_matrix" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_matrix.yml",
"vault_matrix_openid_client_secret",
"--format", "json"]
}
data "external" "vault_security_tracker" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_security_tracker.yml",
"vault_security_tracker_openid_client_secret",
"--format", "json"]
}
provider "keycloak" {
client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
url = "https://accounts.archlinux.org"
}
variable "gitlab_instance" {
default = {
root_url = "https://gitlab.archlinux.org"
saml_redirect_url = "https://gitlab.archlinux.org/users/auth/saml/callback"
}
}
resource "keycloak_realm" "archlinux" {
realm = "archlinux"
enabled = true
remember_me = true
display_name = "Arch Linux"
Sven-Hendrik Haase
committed
display_name_html = "<div class=\"kc-logo-text\"><span>Arch Linux</span></div>"
registration_allowed = false
reset_password_allowed = true
verify_email = true
password_policy = "length(8) and notUsername"
web_authn_policy {
relying_party_entity_name = "Arch Linux SSO"
relying_party_id = "accounts.archlinux.org"
signature_algorithms = ["ES256", "RS256", "ES512", "RS512"]
login_theme = "archlinux"
account_theme = "archlinux"
admin_theme = "archlinux"
email_theme = "archlinux"
browser_flow = "Arch Browser"
registration_flow = "Arch Registration"
reset_credentials_flow = "Arch Reset Credentials"
host = "mail.archlinux.org"
from = "accounts@archlinux.org"
port = "465"
from_display_name = "Arch Linux Accounts"
ssl = true
starttls = false
username = data.external.vault_keycloak.result.vault_keycloak_smtp_user
password = data.external.vault_keycloak.result.vault_keycloak_smtp_password
security_defenses {
x_frame_options = "ALLOW-FROM https://www.google.com https://newassets.hcaptcha.com"
content_security_policy = "frame-src 'self' https://www.google.com https://newassets.hcaptcha.com; frame-ancestors 'self'; object-src 'none';"
content_security_policy_report_only = ""
x_content_type_options = "nosniff"
x_robots_tag = "none"
x_xss_protection = "1; mode=block"
strict_transport_security = "max-age=31536000; includeSubDomains"
}
brute_force_detection {
permanent_lockout = false
max_login_failures = 30
wait_increment_seconds = 60
quick_login_check_milli_seconds = 1000
minimum_quick_login_wait_seconds = 60
max_failure_wait_seconds = 900
failure_reset_time_seconds = 43200
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
attributes = {
userProfileEnabled = true
}
}
resource "keycloak_realm_user_profile" "archlinux" {
realm_id = keycloak_realm.archlinux.id
attribute {
name = "username"
display_name = "$${username}"
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "length"
config = {
min = 3
max = 255
}
}
validator {
name = "username-prohibited-characters"
}
validator {
name = "up-username-not-idn-homograph"
}
}
attribute {
name = "email"
display_name = "$${email}"
required_for_roles = ["user"]
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "email"
}
validator {
name = "length"
config = {
max = 255
}
}
}
attribute {
name = "firstName"
display_name = "$${firstName}"
required_for_roles = ["user"]
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
name = "length"
config = {
max = 255
}
}
validator {
name = "person-name-prohibited-characters"
}
}
attribute {
name = "lastName"
display_name = "$${lastName}"
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "length"
config = {
max = 255
}
}
validator {
name = "person-name-prohibited-characters"
}
}
attribute {
name = "archQuestion"
display_name = "What is the output of: LC_ALL=C pacman -V|tail -n3|base32|head -1 ?"
required_for_roles = ["user"]
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "pattern"
config = {
pattern = "^EAQCAIBAEAQCAIBAEAQCAIBAEAQCAIBAEAQCAVDINFZSA4DSN5TXEYLNEBWWC6JAMJSSAZTSMVSW$"
error-message = "Nope"
}
}
}
resource "keycloak_required_action" "custom-terms-and-conditions" {
realm_id = "archlinux"
alias = "TERMS_AND_CONDITIONS"
default_action = true
enabled = true
name = "Terms and Conditions"
}
resource "keycloak_required_action" "configure_otp" {
realm_id = "archlinux"
alias = "CONFIGURE_TOTP"
default_action = true
enabled = true
name = "Configure OTP"
priority = 0
}
resource "keycloak_required_action" "update_password" {
realm_id = "archlinux"
alias = "UPDATE_PASSWORD"
enabled = true
name = "Update Password"
priority = 20
}
resource "keycloak_required_action" "update_profile" {
realm_id = "archlinux"
alias = "UPDATE_PROFILE"
enabled = true
name = "Update Profile"
priority = 30
}
resource "keycloak_required_action" "verify_email" {
realm_id = "archlinux"
alias = "VERIFY_EMAIL"
enabled = true
name = "Verify Email"
priority = 40
}
resource "keycloak_required_action" "update_user_locale" {
realm_id = "archlinux"
alias = "update_user_locale"
enabled = true
name = "Update User Locale"
priority = 50
}
resource "keycloak_required_action" "webauthn_register" {
realm_id = "archlinux"
alias = "webauthn-register"
enabled = true
name = "Webauthn Register"
priority = 60
resource "keycloak_required_action" "verify_profile" {
realm_id = "archlinux"
alias = "VERIFY_PROFILE"
default_action = true
enabled = true
name = "Verify Profile"
priority = 70
}
resource "keycloak_realm_events" "realm_events" {
realm_id = "archlinux"
events_enabled = true
events_expiration = 7889238 # 3 months
admin_events_enabled = true
admin_events_details_enabled = true
# When omitted or left empty, keycloak will enable all event types
enabled_event_types = [
]
events_listeners = [
"jboss-logging", # keycloak enables the 'jboss-logging' event listener by default.
"metrics-listener", # enable the prometheus exporter (keycloak-metrics-spi)
resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
realm = "archlinux"
alias = "github"
provider_id = "github"
authorization_url = "https://accounts.archlinux.org/realms/archlinux/broker/github/endpoint"
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
token_url = ""
default_scopes = ""
post_broker_login_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
trust_email = false
store_token = false
backchannel_supported = false
resource "keycloak_saml_client" "saml_gitlab" {
realm_id = "archlinux"
name = "Arch Linux GitLab"
signature_algorithm = "RSA_SHA256"
sign_documents = true
sign_assertions = true
valid_redirect_uris = [
var.gitlab_instance.saml_redirect_url
]
root_url = var.gitlab_instance.root_url
base_url = "/"
master_saml_processing_url = var.gitlab_instance.saml_redirect_url
idp_initiated_sso_url_name = "saml_gitlab"
front_channel_logout = false
assertion_consumer_post_url = var.gitlab_instance.saml_redirect_url
}
// This client is only used for the return URL redirect hack!
// See roles/gitlab/tasks/main.yml
resource "keycloak_openid_client" "openid_gitlab" {
realm_id = "archlinux"
name = "Arch Linux Accounts"
access_type = "PUBLIC"
use_refresh_tokens = false
full_scope_allowed = false
valid_redirect_uris = [
"https://gitlab.archlinux.org"
]
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "email"
user_property = "Email"
friendly_name = "Email"
saml_attribute_name = "email"
saml_attribute_name_format = "Basic"
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "first_name"
user_property = "FirstName"
friendly_name = "First Name"
saml_attribute_name = "first_name"
saml_attribute_name_format = "Basic"
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_last_name" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "last_name"
user_property = "LastName"
friendly_name = "Last Name"
saml_attribute_name = "last_name"
saml_attribute_name_format = "Basic"
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_username" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "username"
user_property = "Username"
friendly_name = "Username"
saml_attribute_name = "username"
saml_attribute_name_format = "Basic"
}
// This is the super group in which we put the other Arch groups.
// We want to end up with this structure:
// Arch Linux Staff
// |- DevOps
// |- Developers
// |- Trusted Users
// | |- Admins
// | |- Mods
// | |- Admins
// | |- Members
// |- Package Maintainer Team
// | |- Core Package Maintainers
// | |- Junior Core Package Maintainers
// | |- Package Maintainers
// | |- Junior Package Maintainers
// | |- Mirrorlist Maintainers
// |- Bug Wranglers
// |- Project Maintainers
// |- Security Team
// | |- Reporters
// |- Archweb
// |- Testers
resource "keycloak_group" "staff" {
name = "Arch Linux Staff"
resource "keycloak_group" "staff_groups" {
for_each = toset(["DevOps", "Developers", "Trusted Users", "Wiki", "Forum", "Security Team", "IRC", "Archweb", "Bug Wranglers", "Project Maintainers", "Package Maintainer Team"])
realm_id = "archlinux"
parent_id = keycloak_group.staff.id
name = each.value
resource "keycloak_group" "staff_wiki_groups" {
for_each = toset(["Admins", "Maintainers"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Wiki"].id
name = each.value
resource "keycloak_group" "staff_forum_groups" {
for_each = toset(["Admins", "Mods"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Forum"].id
name = each.value
resource "keycloak_group" "staff_securityteam_groups" {
for_each = toset(["Admins", "Members"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Security Team"].id
name = each.value
resource "keycloak_group" "staff_package_maintainer_groups" {
for_each = toset(["Core Package Maintainers", "Junior Core Package Maintainers", "Package Maintainers", "Junior Package Maintainers"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Package Maintainer Team"].id
name = each.value
}
resource "keycloak_group" "staff_irc_groups" {
for_each = toset(["Ops"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["IRC"].id
name = each.value
resource "keycloak_group" "staff_archweb_groups" {
for_each = toset(["Mirrorlist Maintainers"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Archweb"].id
name = each.value
resource "keycloak_group" "externalcontributors" {
realm_id = "archlinux"
name = "External Contributors"
}
resource "keycloak_group" "externalcontributors_groups" {
for_each = toset(["Security Team", "Archweb"])
realm_id = "archlinux"
parent_id = keycloak_group.externalcontributors.id
name = each.value
resource "keycloak_group" "externalcontributors_securityteam_groups" {
for_each = toset(["Reporters"])
realm_id = "archlinux"
parent_id = keycloak_group.externalcontributors_groups["Security Team"].id
name = each.value
resource "keycloak_group" "externalcontributors_archweb_groups" {
for_each = toset(["Testers"])
realm_id = "archlinux"
parent_id = keycloak_group.externalcontributors_groups["Archweb"].id
name = each.value
realm_id = "archlinux"
name = "DevOps"
description = "Role held by members of the DevOps group"
resource "keycloak_role" "staff" {
realm_id = "archlinux"
name = "Staff"
description = "Role held by all Arch Linux staff"
}
resource "keycloak_role" "externalcontributor" {
realm_id = "archlinux"
name = "External Contributor"
description = "Role held by external contributors working on Arch Linux projects without further access"
}
resource "keycloak_group_roles" "devops" {
realm_id = "archlinux"
group_id = keycloak_group.staff_groups["DevOps"].id
keycloak_role.devops.id
resource "keycloak_group_roles" "staff" {
realm_id = "archlinux"
group_id = keycloak_group.staff.id
role_ids = [
resource "keycloak_group_roles" "externalcontributor" {
group_id = keycloak_group.externalcontributors.id
keycloak_role.externalcontributor.id
// Add new custom registration flow with hCaptcha
resource "keycloak_authentication_flow" "arch_registration_flow" {
realm_id = "archlinux"
alias = "Arch Registration"
description = "Customized Registration flow that forces enables hCaptcha."
}
resource "keycloak_authentication_subflow" "registration_form" {
realm_id = "archlinux"
alias = "Registration Form"
parent_flow_alias = keycloak_authentication_flow.arch_registration_flow.alias
provider_id = "form-flow"
authenticator = "registration-page-form"
requirement = "REQUIRED"
}
resource "keycloak_authentication_execution" "registration_user_creation" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
authenticator = "registration-user-creation"
requirement = "REQUIRED"
}
resource "keycloak_authentication_execution" "registration_password_action" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
authenticator = "registration-password-action"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.registration_user_creation]
resource "keycloak_authentication_execution" "registration_hcaptcha_action" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
authenticator = "registration-hcaptcha-action"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.registration_password_action]
resource "keycloak_authentication_execution_config" "registration_hcaptcha_action_config" {
realm_id = "archlinux"
alias = "hCaptcha config"
execution_id = keycloak_authentication_execution.registration_hcaptcha_action.id
"site.key" = data.external.vault_hcaptcha.result.vault_hcaptcha_accounts_archlinux_org_sitekey
"secret" = data.external.vault_hcaptcha.result.vault_hcaptcha_secret_key
// Add new custom browser login flow with WebAuthn support and forced OTP.
// Try misc/kcadm_wrapper.sh get authentication/flows/{{ your flow alias}}/executions
// to make this a whole lot easier.
// NOTE: We use the `depends_on` calls to properly order the executions and subflows inside the
// flow. This has to be done until https://github.com/mrparkers/terraform-provider-keycloak/issues/296
// is fixed. :(
// We want to end up with something like this:
//
// Arch Browser flow
// |- Cookie (A)
// |- Identity Provider Redirector (A)
// |- Username Password Form (R)
// |- WebAuthn Authenticator (A)
// |- OTP Form (A)
// |- OTP Default Subflow (A)
// |- OTP Form (R)
//
// IMPORTANT NOTE: Sometimes when changing Authentication Flows via Terraform or UI, flows can become orphaned in which
// case they'll hang around the database doing nothing useful and blocking alias names and causing 409 CONFLICTS. If such
// a thing happens, you'll have to get dirty and and manually clean up the authentication_flows and authentication_executions
// tables on the Keycloak Postgres DB! Quality Red Hat software right there.
resource "keycloak_authentication_flow" "arch_browser_flow" {
realm_id = "archlinux"
alias = "Arch Browser"
description = "Customized Browser flow that forces 2FA."
}
resource "keycloak_authentication_execution" "cookie" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
authenticator = "auth-cookie"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_flow.arch_browser_flow]
}
resource "keycloak_authentication_execution" "identity_provider_redirector" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
authenticator = "identity-provider-redirector"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.cookie]
resource "keycloak_authentication_subflow" "password_and_2fa" {
realm_id = "archlinux"
alias = "Password and 2FA subflow"
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.identity_provider_redirector]
}
resource "keycloak_authentication_execution" "username_password_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
authenticator = "auth-username-password-form"
requirement = "REQUIRED"
resource "keycloak_authentication_subflow" "_2fa" {
realm_id = "archlinux"
alias = "2FA subflow"
parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.username_password_form]
resource "keycloak_authentication_execution" "webauthn_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
authenticator = "webauthn-authenticator"
requirement = "ALTERNATIVE"
resource "keycloak_authentication_execution" "otp_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
authenticator = "auth-otp-form"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.webauthn_form]
resource "keycloak_authentication_subflow" "otp_default" {
realm_id = "archlinux"
alias = "OTP Default Subflow"
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.otp_form]
Sven-Hendrik Haase
committed
}
resource "keycloak_authentication_execution" "otp_default_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.otp_default.alias
authenticator = "auth-otp-form"
requirement = "REQUIRED"
Sven-Hendrik Haase
committed
}
// Add new custom post-Identity Provider login flow with forced OTP for some user roles
//
// Arch Post IPR Flow
// |- WebAuthn Form (A)
// |- OTP Form (A)
// |- IPR OTP Default Subflow (A)
// |- OTP Form (R)
resource "keycloak_authentication_flow" "arch_post_ipr_flow" {
realm_id = "archlinux"
alias = "Arch Post IPR Flow"
description = "Post IPR login flow that forces 2FA."
resource "keycloak_authentication_execution" "ipr_webauthn_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
authenticator = "webauthn-authenticator"
requirement = "ALTERNATIVE"
resource "keycloak_authentication_execution" "ipr_otp_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
authenticator = "auth-otp-form"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.ipr_webauthn_form]
resource "keycloak_authentication_subflow" "ipr_otp_default" {
realm_id = "archlinux"
alias = "IPR OTP Default Subflow"
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.ipr_otp_form]
resource "keycloak_authentication_execution" "ipr_otp_default_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.ipr_otp_default.alias
authenticator = "auth-otp-form"
requirement = "REQUIRED"
// Add new custom Reset Credentials flow that asks users to verify 2FA before resetting their password
//
// Arch Reset Credentials
// |- Choose User (R)
// |- Send Reset Email (R)
// |- Conditional Reset Credentials 2FA Subflow (C)
// |- Condition - User Configured (R)
// |- Reset Credentials 2FA Subflow (R)
// |- WebAuthn Form (A)
// |- OTP Form (A)
// |- Reset Credentials OTP Default Subflow (A)
// |- OTP Form (R)
// |- Reset Password (R)
resource "keycloak_authentication_flow" "arch_reset_credentials_flow" {
realm_id = "archlinux"
alias = "Arch Reset Credentials"
description = "Reset credentials flow that forces 2FA verification before password reset."
resource "keycloak_authentication_execution" "rc_choose_user" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
authenticator = "reset-credentials-choose-user"
requirement = "REQUIRED"
resource "keycloak_authentication_execution" "rc_reset_email" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
authenticator = "reset-credential-email"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.rc_choose_user]
resource "keycloak_authentication_subflow" "rc_conditional_2fa" {
realm_id = "archlinux"
alias = "Conditional Reset Credentials 2FA Subflow"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
requirement = "CONDITIONAL"
depends_on = [keycloak_authentication_execution.rc_choose_user]
resource "keycloak_authentication_execution" "rc_2fa_condition" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
authenticator = "conditional-user-configured"
requirement = "REQUIRED"
resource "keycloak_authentication_subflow" "rc_2fa" {
realm_id = "archlinux"
alias = "Reset Credentials 2FA Subflow"
parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.rc_2fa_condition]
resource "keycloak_authentication_execution" "rc_webauthn_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
authenticator = "webauthn-authenticator"
requirement = "ALTERNATIVE"
resource "keycloak_authentication_execution" "rc_otp_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
authenticator = "auth-otp-form"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.rc_webauthn_form]
resource "keycloak_authentication_subflow" "rc_otp_default" {
realm_id = "archlinux"
alias = "Reset Credentials OTP Default Subflow"
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.rc_otp_form]
resource "keycloak_authentication_execution" "rc_otp_default_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_otp_default.alias
authenticator = "auth-otp-form"
requirement = "REQUIRED"
resource "keycloak_authentication_execution" "rc_reset_password" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
authenticator = "reset-password"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_subflow.rc_conditional_2fa]
output "gitlab_saml_configuration" {
value = {
issuer = keycloak_saml_client.saml_gitlab.client_id
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
admin_groups = [keycloak_role.devops.name]
idp_sso_target_url = "https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
}
}
resource "keycloak_openid_client" "grafana_openid_client" {
realm_id = "archlinux"
client_id = "openid_grafana"
client_secret = data.external.vault_monitoring.result.vault_monitoring_grafana_client_secret
name = "Grafana"
access_type = "CONFIDENTIAL"
use_refresh_tokens = false
valid_redirect_uris = [
"https://monitoring.archlinux.org",
"https://monitoring.archlinux.org/login/generic_oauth"
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
Sven-Hendrik Haase
committed
resource "keycloak_openid_client" "hedgedoc_openid_client" {
realm_id = "archlinux"
client_id = "openid_hedgedoc"
client_secret = data.external.vault_hedgedoc.result.vault_hedgedoc_client_secret
name = "Hedgedoc"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
valid_redirect_uris = [
"https://md.archlinux.org/*",
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "hedgedoc_user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.hedgedoc_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
add_to_access_token = false
}
resource "keycloak_openid_client" "matrix_openid_client" {
realm_id = "archlinux"
client_id = "openid_matrix"
client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret
name = "Matrix"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
valid_redirect_uris = [
"https://matrix.archlinux.org/_synapse/client/oidc/callback"
]
Jan Alexander Steffens (heftig)
committed
backchannel_logout_url = "https://matrix.archlinux.org/_synapse/client/oidc/backchannel_logout"
backchannel_logout_session_required = true
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "matrix_user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.matrix_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = true
add_to_access_token = false
}
resource "keycloak_openid_client" "gluebuddy_openid_client" {
realm_id = "archlinux"
client_id = "gluebuddy"
client_secret = data.external.vault_keycloak.result.vault_keycloak_gluebuddy_openid_client_secret
web_origins = []
name = "Gluebuddy"
enabled = true
service_accounts_enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
valid_redirect_uris = [
"https://gitlab.archlinux.org/"
]
}
resource "keycloak_openid_client" "security_tracker_openid_client" {
realm_id = "archlinux"
client_id = "openid_security_tracker"
client_secret = data.external.vault_security_tracker.result.vault_security_tracker_openid_client_secret
name = "Security Tracker"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
web_origins = []
valid_redirect_uris = [
"https://security.archlinux.org/*",
]
}
resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.security_tracker_openid_client.id
name = "group-membership-mapper"
claim_name = "groups"
}
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
resource "keycloak_openid_client" "buildbot_openid_client" {
realm_id = "archlinux"
client_id = "openid_buildbot"
name = "Buildbot"
enabled = true
access_type = "PUBLIC"
standard_flow_enabled = true
valid_redirect_uris = [
"https://buildbot.pkgbuild.com/*",
"http://127.0.0.1:5000/*",
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "buildbot_user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.buildbot_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
add_to_access_token = false
}