keycloak: Add External Contributors role

3400f088 · Sven-Hendrik Haase · 66527e98 · 3400f088
Verified Commit 3400f088 authored 4 years ago by Sven-Hendrik Haase
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -156,11 +156,23 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_username" {
  saml_attribute_name_format = "Basic"
 }

+// This is the super group in which we put the other Arch groups.
+// We want to end up with this structure:
+// Arch Linux Staff
+// |- DevOps
+// |- Developers
+// |- Trusted Users
+// External Contributors
 resource "keycloak_group" "staff" {
  realm_id = "archlinux"
  name = "Arch Linux Staff"
 }

+resource "keycloak_group" "externals" {
+  realm_id = "archlinux"
+  name = "External Contributors"
+}
+
 variable "arch_groups" {
  type = set(string)
  default = ["DevOps", "Developers", "Trusted Users"]
@@ -186,6 +198,12 @@ resource "keycloak_role" "staff" {
  description = "Role held by all Arch Linux staff"
 }

+resource "keycloak_role" "externals" {
+  realm_id = "archlinux"
+  name = "External Contributors"
+  description = "Role held by external contributors working on Arch Linux projects without further access"
+}
+
 resource "keycloak_group_roles" "devops" {
  realm_id = "archlinux"
  group_id = keycloak_group.arch_groups["DevOps"].id
@@ -202,6 +220,14 @@ resource "keycloak_group_roles" "staff" {
  ]
 }

+resource "keycloak_group_roles" "externals" {
+  realm_id = "archlinux"
+  group_id = keycloak_group.externals.id
+  role_ids = [
+    keycloak_role.externals.id
+  ]
+}
+
 output "gitlab_saml_configuration" {
  value = {
    issuer = keycloak_saml_client.saml_gitlab.client_id