diff options
| author | Vincent Ambo <mail@tazj.in> | 2022-09-20T09·19+0300 |
|---|---|---|
| committer | tazjin <tazjin@tvl.su> | 2022-09-20T09·28+0000 |
| commit | 6576c2f15fc98f9432b0a0ce6b4f23a8528f30d9 (patch) | |
| tree | c35e53230bbc9382219e239b89f6b8bae3348a95 | |
| parent | 3a1f4831a82b0f682b03032625c7c083ff20b603 (diff) | |
feat(ops/keycloak): import github identity provider configuration r/4930
For some reason Terraform decided that it would otherwise like to *delete* this configuration, which is undesirable. Note that there is a "magic" special behaviour when the `alias` and `provider_id` are set to the name of a built-in supported provider (github, gitlab etc.), which lets us skip the authorization_url setup. Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20 Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
| -rw-r--r-- | ops/keycloak/main.tf | 2 | ||||
| -rw-r--r-- | ops/keycloak/user_sources.tf | 23 | ||||
| -rw-r--r-- | ops/secrets/tf-keycloak.age | bin | 981 -> 1001 bytes |
3 files changed, 24 insertions, 1 deletions
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf index a8e2d82a3c..c18f4a1789 100644 --- a/ops/keycloak/main.tf +++ b/ops/keycloak/main.tf @@ -1,6 +1,6 @@ # Configure TVL Keycloak instance. # -# TODO(tazjin): Configure GitHub/GitLab IDP +# TODO(tazjin): Configure GitLab IDP terraform { required_providers { diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf index 3fde6e07cc..01307fff8d 100644 --- a/ops/keycloak/user_sources.tf +++ b/ops/keycloak/user_sources.tf @@ -2,6 +2,10 @@ # information (either by accessing a system like LDAP or integration # through protocols like OIDC). +variable "github_client_secret" { + type = string +} + resource "keycloak_ldap_user_federation" "tvl_ldap" { name = "tvl-ldap" realm_id = keycloak_realm.tvl.id @@ -19,3 +23,22 @@ resource "keycloak_ldap_user_federation" "tvl_ldap" { "organizationalPerson", ] } + +# keycloak_oidc_identity_provider.github will be destroyed +# (because keycloak_oidc_identity_provider.github is not in configuration) +resource "keycloak_oidc_identity_provider" "github" { + alias = "github" + provider_id = "github" + client_id = "6d7f8bb2e82bb6739556" + client_secret = var.github_client_secret + realm = keycloak_realm.tvl.id + backchannel_supported = false + gui_order = "1" + store_token = false + sync_mode = "IMPORT" + trust_email = true + + # These default to built-in values for the `github` provider_id. + authorization_url = "" + token_url = "" +} diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age index b450e84fb0..c916dcd2a3 100644 --- a/ops/secrets/tf-keycloak.age +++ b/ops/secrets/tf-keycloak.age Binary files differ |