tf/keycloak: Add openid client for buildbot

The buildbot POC wants to use Keycloak for user authentication. The client is public, because it doesn't make sense to have a client secret, which can't be kept under wrap anyway (it would need to be shipped with the CLI[1]). [1] https://gitlab.archlinux.org/foxboron/buildctl

tf/keycloak: Add openid client for buildbot
c56fbb55 · Kristian Klausen · 71158607 · c56fbb55
Verified Commit c56fbb55 authored 2 years ago by Kristian Klausen
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -891,3 +891,29 @@ resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_ma

  claim_name = "groups"
 }
+
+resource "keycloak_openid_client" "buildbot_openid_client" {
+  realm_id  = "archlinux"
+  client_id = "openid_buildbot"
+
+  name    = "Buildbot"
+  enabled = true
+
+  access_type           = "PUBLIC"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+    "https://buildbot.pkgbuild.com/*",
+    "http://127.0.0.1:5000/*",
+  ]
+}
+
+resource "keycloak_openid_user_realm_role_protocol_mapper" "buildbot_user_realm_role_mapper" {
+  realm_id  = "archlinux"
+  client_id = keycloak_openid_client.buildbot_openid_client.id
+  name      = "user realms"
+
+  claim_name          = "roles"
+  multivalued         = true
+  add_to_id_token     = false
+  add_to_access_token = false
+}