about summary refs log tree commit diff
path: root/ops
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-01-01T14·46+0300
committertazjin <mail@tazj.in>2022-01-02T21·22+0000
commit5a6f984222d37e50c8d7c06415ba48e66f45b4ed (patch)
tree5b1cd5b14f062775dfd29944f932bb1a631499a9 /ops
parent5e036ed9fc579d14353eb7da4af4b426c99f96e6 (diff)
refactor(ops/keycloak): Split out clients & user-sources r/3511
Without some kind of physical organisation it's a little difficult to
understand whether things are going "in" (supplying users to Keycloak)
or "out" (getting auth/user info from Keycloak).

Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Diffstat (limited to 'ops')
-rw-r--r--ops/keycloak/clients.tf92
-rw-r--r--ops/keycloak/main.tf106
-rw-r--r--ops/keycloak/user_sources.tf21
3 files changed, 113 insertions, 106 deletions
diff --git a/ops/keycloak/clients.tf b/ops/keycloak/clients.tf
new file mode 100644
index 000000000000..5f2fd21a3557
--- /dev/null
+++ b/ops/keycloak/clients.tf
@@ -0,0 +1,92 @@
+# All Keycloak clients, that is applications which authenticate
+# through Keycloak.
+#
+# Includes first-party (i.e. TVL-hosted) and third-party clients.
+
+resource "keycloak_openid_client" "grafana" {
+  realm_id              = keycloak_realm.tvl.id
+  client_id             = "grafana"
+  name                  = "Grafana"
+  enabled               = true
+  access_type           = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  base_url              = "https://status.tvl.su"
+
+  valid_redirect_uris = [
+    "https://status.tvl.su/*",
+  ]
+}
+
+resource "keycloak_openid_client" "gerrit" {
+  realm_id                                 = keycloak_realm.tvl.id
+  client_id                                = "gerrit"
+  name                                     = "TVL Gerrit"
+  enabled                                  = true
+  access_type                              = "CONFIDENTIAL"
+  standard_flow_enabled                    = true
+  base_url                                 = "https://cl.tvl.fyi"
+  description                              = "TVL's code review tool"
+  direct_access_grants_enabled             = true
+  exclude_session_state_from_auth_response = false
+
+  valid_redirect_uris = [
+    "https://cl.tvl.fyi/*",
+  ]
+
+  web_origins = [
+    "https://cl.tvl.fyi",
+  ]
+}
+
+resource "keycloak_saml_client" "buildkite" {
+  realm_id  = keycloak_realm.tvl.id
+  client_id = "https://buildkite.com"
+  name      = "Buildkite"
+  base_url  = "https://buildkite.com/sso/tvl"
+
+  client_signature_required   = false
+  assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
+
+  valid_redirect_uris = [
+    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
+  ]
+}
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-email-mapper"
+  user_attribute             = "email"
+  saml_attribute_name        = "email"
+  saml_attribute_name_format = "Unspecified"
+}
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-name-mapper"
+  user_attribute             = "displayName"
+  saml_attribute_name        = "name"
+  saml_attribute_name_format = "Unspecified"
+}
+
+resource "keycloak_openid_client" "oauth2_proxy" {
+  realm_id              = keycloak_realm.tvl.id
+  client_id             = "oauth2-proxy"
+  name                  = "TVL OAuth2 Proxy"
+  enabled               = true
+  access_type           = "CONFIDENTIAL"
+  standard_flow_enabled = true
+
+  valid_redirect_uris = [
+    "https://login.tvl.fyi/oauth2/callback",
+    "http://localhost:4774/oauth2/callback",
+  ]
+}
+
+resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
+  realm_id                 = keycloak_realm.tvl.id
+  client_id                = keycloak_openid_client.oauth2_proxy.id
+  name                     = "oauth2-proxy-audience"
+  included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
+}
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index c5f8c6b6d736..819267ff96c5 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -32,109 +32,3 @@ resource "keycloak_realm" "tvl" {
   display_name                = "The Virus Lounge"
   default_signature_algorithm = "RS256"
 }
-
-resource "keycloak_ldap_user_federation" "tvl_ldap" {
-  name                    = "tvl-ldap"
-  realm_id                = keycloak_realm.tvl.id
-  enabled                 = true
-  connection_url          = "ldap://localhost"
-  users_dn                = "ou=users,dc=tvl,dc=fyi"
-  username_ldap_attribute = "cn"
-  uuid_ldap_attribute     = "cn"
-  rdn_ldap_attribute      = "cn"
-  full_sync_period        = 86400
-  trust_email             = true
-
-  user_object_classes = [
-    "inetOrgPerson",
-    "organizationalPerson",
-  ]
-}
-
-resource "keycloak_openid_client" "oauth2_proxy" {
-  realm_id              = keycloak_realm.tvl.id
-  client_id             = "oauth2-proxy"
-  name                  = "TVL OAuth2 Proxy"
-  enabled               = true
-  access_type           = "CONFIDENTIAL"
-  standard_flow_enabled = true
-
-  valid_redirect_uris = [
-    "https://login.tvl.fyi/oauth2/callback",
-    "http://localhost:4774/oauth2/callback",
-  ]
-}
-
-resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
-  realm_id                 = keycloak_realm.tvl.id
-  client_id                = keycloak_openid_client.oauth2_proxy.id
-  name                     = "oauth2-proxy-audience"
-  included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
-}
-
-resource "keycloak_openid_client" "grafana" {
-  realm_id              = keycloak_realm.tvl.id
-  client_id             = "grafana"
-  name                  = "Grafana"
-  enabled               = true
-  access_type           = "CONFIDENTIAL"
-  standard_flow_enabled = true
-  base_url              = "https://status.tvl.su"
-
-  valid_redirect_uris = [
-    "https://status.tvl.su/*",
-  ]
-}
-
-resource "keycloak_openid_client" "gerrit" {
-  realm_id                                 = keycloak_realm.tvl.id
-  client_id                                = "gerrit"
-  name                                     = "TVL Gerrit"
-  enabled                                  = true
-  access_type                              = "CONFIDENTIAL"
-  standard_flow_enabled                    = true
-  base_url                                 = "https://cl.tvl.fyi"
-  description                              = "TVL's code review tool"
-  direct_access_grants_enabled             = true
-  exclude_session_state_from_auth_response = false
-
-  valid_redirect_uris = [
-    "https://cl.tvl.fyi/*",
-  ]
-
-  web_origins = [
-    "https://cl.tvl.fyi",
-  ]
-}
-
-resource "keycloak_saml_client" "buildkite" {
-  realm_id  = keycloak_realm.tvl.id
-  client_id = "https://buildkite.com"
-  name      = "Buildkite"
-  base_url  = "https://buildkite.com/sso/tvl"
-
-  client_signature_required   = false
-  assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
-
-  valid_redirect_uris = [
-    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
-  ]
-}
-
-resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
-  realm_id                   = keycloak_realm.tvl.id
-  client_id                  = keycloak_saml_client.buildkite.id
-  name                       = "buildkite-email-mapper"
-  user_attribute             = "email"
-  saml_attribute_name        = "email"
-  saml_attribute_name_format = "Unspecified"
-}
-
-resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
-  realm_id                   = keycloak_realm.tvl.id
-  client_id                  = keycloak_saml_client.buildkite.id
-  name                       = "buildkite-name-mapper"
-  user_attribute             = "displayName"
-  saml_attribute_name        = "name"
-  saml_attribute_name_format = "Unspecified"
-}
diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf
new file mode 100644
index 000000000000..3fde6e07cc91
--- /dev/null
+++ b/ops/keycloak/user_sources.tf
@@ -0,0 +1,21 @@
+# All user sources, that is services from which Keycloak gets user
+# information (either by accessing a system like LDAP or integration
+# through protocols like OIDC).
+
+resource "keycloak_ldap_user_federation" "tvl_ldap" {
+  name                    = "tvl-ldap"
+  realm_id                = keycloak_realm.tvl.id
+  enabled                 = true
+  connection_url          = "ldap://localhost"
+  users_dn                = "ou=users,dc=tvl,dc=fyi"
+  username_ldap_attribute = "cn"
+  uuid_ldap_attribute     = "cn"
+  rdn_ldap_attribute      = "cn"
+  full_sync_period        = 86400
+  trust_email             = true
+
+  user_object_classes = [
+    "inetOrgPerson",
+    "organizationalPerson",
+  ]
+}