about summary refs log tree commit diff
path: root/ops/keycloak/main.tf
blob: 7e9dd4b5b9c566ba238ca7b007e52c9e260c09ee (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# Configure TVL Keycloak instance.
#
# TODO(tazjin): Configure GitHub/GitLab IDP

terraform {
  required_providers {
    keycloak = {
      source = "mrparkers/keycloak"
    }
  }

  backend "s3" {
    endpoint = "https://objects.dc-sto1.glesys.net"
    bucket   = "tvl-state"
    key      = "terraform/tvl-keycloak"
    region   = "glesys"

    skip_credentials_validation = true
    skip_region_validation      = true
    skip_metadata_api_check     = true
  }
}

provider "keycloak" {
  client_id = "terraform"
  url       = "https://auth.tvl.fyi"
}

resource "keycloak_realm" "tvl" {
  realm                       = "TVL"
  enabled                     = true
  display_name                = "The Virus Lounge"
  default_signature_algorithm = "RS256"
}

resource "keycloak_ldap_user_federation" "tvl_ldap" {
  name                    = "tvl-ldap"
  realm_id                = keycloak_realm.tvl.id
  enabled                 = true
  connection_url          = "ldap://localhost"
  users_dn                = "ou=users,dc=tvl,dc=fyi"
  username_ldap_attribute = "cn"
  uuid_ldap_attribute     = "cn"
  rdn_ldap_attribute      = "cn"
  full_sync_period        = 86400
  trust_email             = true

  user_object_classes = [
    "inetOrgPerson",
    "organizationalPerson",
  ]
}

resource "keycloak_openid_client" "oauth2_proxy" {
  realm_id              = keycloak_realm.tvl.id
  client_id             = "oauth2-proxy"
  name                  = "TVL OAuth2 Proxy"
  enabled               = true
  access_type           = "CONFIDENTIAL"
  standard_flow_enabled = true

  valid_redirect_uris = [
    "https://login.tvl.fyi/oauth2/callback",
    "http://localhost:4774/oauth2/callback",
  ]
}

resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
  realm_id                 = keycloak_realm.tvl.id
  client_id                = keycloak_openid_client.oauth2_proxy.id
  name                     = "oauth2-proxy-audience"
  included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
}

resource "keycloak_openid_client" "grafana" {
  realm_id              = keycloak_realm.tvl.id
  client_id             = "grafana"
  name                  = "Grafana"
  enabled               = true
  access_type           = "CONFIDENTIAL"
  standard_flow_enabled = true
  base_url              = "https://status.tvl.su"

  valid_redirect_uris = [
    "https://status.tvl.su/*",
  ]
}

resource "keycloak_openid_client" "gerrit" {
  realm_id                                 = keycloak_realm.tvl.id
  client_id                                = "gerrit"
  name                                     = "TVL Gerrit"
  enabled                                  = true
  access_type                              = "CONFIDENTIAL"
  standard_flow_enabled                    = true
  base_url                                 = "https://cl.tvl.fyi"
  description                              = "TVL's code review tool"
  direct_access_grants_enabled             = true
  exclude_session_state_from_auth_response = false

  valid_redirect_uris = [
    "https://cl.tvl.fyi/*",
  ]

  web_origins = [
    "https://cl.tvl.fyi",
  ]
}

resource "keycloak_openid_client" "buildkite" {
  realm_id                                 = keycloak_realm.tvl.id
  client_id                                = "https://buildkite.com"
  name                                     = "Buildkite"
  enabled                                  = true
  access_type                              = "CONFIDENTIAL"
  standard_flow_enabled                    = true
  base_url                                 = "https://buildkite.com/sso/tvl"
  direct_access_grants_enabled             = false
  exclude_session_state_from_auth_response = false
  backchannel_logout_session_required      = false

  valid_redirect_uris = [
    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume",
  ]

  web_origins = [
    "https://buildkite.com",
  ]
}