diff options
author | Vincent Ambo <mail@tazj.in> | 2021-12-28T12·38+0300 |
---|---|---|
committer | clbot <clbot@tvl.fyi> | 2021-12-28T17·37+0000 |
commit | b763f183f770a628fb9f338b8f52ba8185bccaa7 (patch) | |
tree | d84dd198fb0fd444b8b770f4dc9499a61c1b5400 /ops/keycloak/main.tf | |
parent | 666a944c5933716a7d067786f837e4b509a1c086 (diff) |
fix(ops/keycloak): redefine buildkite client, correctly this time r/3495
This client definition was previously nonsense. What happened is that I accidentally imported the client as an OIDC client, which Keycloak accepted because apparently those are the same entities on the API level, and that ended up getting mangled into some broken hybrid shape by Terraform. This sets up the Buildkite provider again but with the correct SAML configuration this time. Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: tazjin <mail@tazj.in>
Diffstat (limited to 'ops/keycloak/main.tf')
-rw-r--r-- | ops/keycloak/main.tf | 41 |
1 files changed, 26 insertions, 15 deletions
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf index 7e9dd4b5b9c5..c5f8c6b6d736 100644 --- a/ops/keycloak/main.tf +++ b/ops/keycloak/main.tf @@ -107,23 +107,34 @@ resource "keycloak_openid_client" "gerrit" { ] } -resource "keycloak_openid_client" "buildkite" { - realm_id = keycloak_realm.tvl.id - client_id = "https://buildkite.com" - name = "Buildkite" - enabled = true - access_type = "CONFIDENTIAL" - standard_flow_enabled = true - base_url = "https://buildkite.com/sso/tvl" - direct_access_grants_enabled = false - exclude_session_state_from_auth_response = false - backchannel_logout_session_required = false +resource "keycloak_saml_client" "buildkite" { + realm_id = keycloak_realm.tvl.id + client_id = "https://buildkite.com" + name = "Buildkite" + base_url = "https://buildkite.com/sso/tvl" + + client_signature_required = false + assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume" valid_redirect_uris = [ - "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume", + "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume" ] +} - web_origins = [ - "https://buildkite.com", - ] +resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" { + realm_id = keycloak_realm.tvl.id + client_id = keycloak_saml_client.buildkite.id + name = "buildkite-email-mapper" + user_attribute = "email" + saml_attribute_name = "email" + saml_attribute_name_format = "Unspecified" +} + +resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" { + realm_id = keycloak_realm.tvl.id + client_id = keycloak_saml_client.buildkite.id + name = "buildkite-name-mapper" + user_attribute = "displayName" + saml_attribute_name = "name" + saml_attribute_name_format = "Unspecified" } |