Skip to content
GitLab
Commit 649568e7 authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase Committed by Jelle van der Waa
Browse files

Restrict Grafana access to Arch Linux Staff group on Keycloak (fixes #151)

parent cfa10ae5
Hide whitespace changes
Inline Side-by-side
tf-stage2/keycloak.tf
View file @ 649568e7
......@@ -415,7 +415,8 @@ resource "keycloak_group_roles" "staff" {
realm_id = "archlinux"
group_id = keycloak_group.staff.id
role_ids = [
keycloak_role.staff.id
keycloak_role.staff.id,
keycloak_role.grafana_archlinux_staff.id
]
}
......@@ -761,3 +762,26 @@ resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapp
add_to_id_token = false
add_to_access_token = false
}
// All of the below is to restrict access to Grafana to members in the Arch Linux Staff group.
resource "keycloak_role" "grafana_archlinux_staff" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "Staff"
description = "Arch Linux Staff Grafana"
}
resource "keycloak_generic_client_role_mapper" "grafana_archlinux_staff_to_email" {
realm_id = "archlinux"
role_id = keycloak_role.grafana_archlinux_staff.id
client_scope_id = keycloak_openid_client_scope.email.id
}
// This needs to be imported from the default client scopes created by Keycloak.
resource "keycloak_openid_client_scope" "email" {
realm_id = "archlinux"
name = "email"
description = "OpenID Connect built-in scope: email"
include_in_token_scope = true
consent_screen_text = "$${emailScopeConsentText}"
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment