about summary refs log tree commit diff
path: root/ops/keycloak/main.tf
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-12-28T12·38+0300
committerclbot <clbot@tvl.fyi>2021-12-28T17·37+0000
commitb763f183f770a628fb9f338b8f52ba8185bccaa7 (patch)
treed84dd198fb0fd444b8b770f4dc9499a61c1b5400 /ops/keycloak/main.tf
parent666a944c5933716a7d067786f837e4b509a1c086 (diff)
fix(ops/keycloak): redefine buildkite client, correctly this time r/3495
This client definition was previously nonsense. What happened is that
I accidentally imported the client as an OIDC client, which Keycloak
accepted because apparently those are the same entities on the API
level, and that ended up getting mangled into some broken hybrid shape
by Terraform.

This sets up the Buildkite provider again but with the correct
SAML configuration this time.

Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
Diffstat (limited to 'ops/keycloak/main.tf')
-rw-r--r--ops/keycloak/main.tf41
1 files changed, 26 insertions, 15 deletions
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index 7e9dd4b5b9c5..c5f8c6b6d736 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -107,23 +107,34 @@ resource "keycloak_openid_client" "gerrit" {
   ]
 }
 
-resource "keycloak_openid_client" "buildkite" {
-  realm_id                                 = keycloak_realm.tvl.id
-  client_id                                = "https://buildkite.com"
-  name                                     = "Buildkite"
-  enabled                                  = true
-  access_type                              = "CONFIDENTIAL"
-  standard_flow_enabled                    = true
-  base_url                                 = "https://buildkite.com/sso/tvl"
-  direct_access_grants_enabled             = false
-  exclude_session_state_from_auth_response = false
-  backchannel_logout_session_required      = false
+resource "keycloak_saml_client" "buildkite" {
+  realm_id  = keycloak_realm.tvl.id
+  client_id = "https://buildkite.com"
+  name      = "Buildkite"
+  base_url  = "https://buildkite.com/sso/tvl"
+
+  client_signature_required   = false
+  assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
 
   valid_redirect_uris = [
-    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume",
+    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
   ]
+}
 
-  web_origins = [
-    "https://buildkite.com",
-  ]
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-email-mapper"
+  user_attribute             = "email"
+  saml_attribute_name        = "email"
+  saml_attribute_name_format = "Unspecified"
+}
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-name-mapper"
+  user_attribute             = "displayName"
+  saml_attribute_name        = "name"
+  saml_attribute_name_format = "Unspecified"
 }