Merge branch 'remove-keycloak-hack' into 'master'

grafana: Use builtin functionality to restrict access See merge request archlinux/infrastructure!443

Merge branch 'remove-keycloak-hack' into 'master'
grafana: Use builtin functionality to restrict access See merge request archlinux/infrastructure!443
b5e90585 · Kristian Klausen · a898f42e · e7aa7f09 · b5e90585 · b5e90585
Commit b5e90585 authored Jul 06, 2021 by Kristian Klausen 🎉
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -477,8 +477,8 @@ api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-c
 ;allowed_domains =
 ;team_ids =
 ;allowed_organizations =
-role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*], 'Staff') && 'Viewer'
-;role_attribute_strict = false
+role_attribute_path: contains(roles[*], 'DevOps') && 'Admin'
+role_attribute_strict = true
 ;tls_skip_verify_insecure = false
 ;tls_client_cert =
 ;tls_client_key =

--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -419,8 +419,7 @@ resource "keycloak_group_roles" "devops" {
  realm_id = "archlinux"
  group_id = keycloak_group.staff_groups["DevOps"].id
  role_ids = [
-    keycloak_role.devops.id,
-    keycloak_role.grafana_archlinux_devops.id
+    keycloak_role.devops.id
  ]
 }

@@ -775,29 +774,6 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
  add_to_access_token = false
 }

-// All of the below is to restrict access to Grafana to members in the Arch Linux DevOps group.
-resource "keycloak_role" "grafana_archlinux_devops" {
-  realm_id    = "archlinux"
-  client_id   = keycloak_openid_client.grafana_openid_client.id
-  name        = "DevOps"
-  description = "Arch Linux Staff Grafana"
-}
-
-resource "keycloak_generic_client_role_mapper" "grafana_archlinux_devops_to_email" {
-  realm_id        = "archlinux"
-  role_id         = keycloak_role.grafana_archlinux_devops.id
-  client_scope_id = keycloak_openid_client_scope.email.id
-}
-
-// This needs to be imported from the default client scopes created by Keycloak.
-resource "keycloak_openid_client_scope" "email" {
-  realm_id               = "archlinux"
-  name                   = "email"
-  description            = "OpenID Connect built-in scope: email"
-  include_in_token_scope = true
-  consent_screen_text    = "$${emailScopeConsentText}"
-}
-
 resource "keycloak_openid_client" "hedgedoc_openid_client" {
  realm_id      = "archlinux"
  client_id     = "openid_hedgedoc"