2020-04-30 14:30:35 +02:00
|
|
|
terraform {
|
|
|
|
backend "pg" {
|
|
|
|
schema_name = "terraform_remote_state_stage2"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-05-27 21:50:48 +02:00
|
|
|
data "external" "vault_keycloak" {
|
2021-07-07 14:18:41 +02:00
|
|
|
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_keycloak.yml",
|
2020-05-27 21:50:48 +02:00
|
|
|
"vault_keycloak_admin_user",
|
|
|
|
"vault_keycloak_admin_password",
|
|
|
|
"vault_keycloak_smtp_user",
|
|
|
|
"vault_keycloak_smtp_password",
|
2020-10-21 20:14:43 +02:00
|
|
|
"--format", "json"]
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
|
2020-05-27 21:50:48 +02:00
|
|
|
data "external" "vault_google" {
|
2021-07-07 14:18:41 +02:00
|
|
|
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_google.yml",
|
2020-05-27 21:50:48 +02:00
|
|
|
"vault_google_recaptcha_site_key",
|
|
|
|
"vault_google_recaptcha_secret_key",
|
2020-10-21 20:14:43 +02:00
|
|
|
"--format", "json"]
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
|
2020-05-27 21:50:48 +02:00
|
|
|
data "external" "vault_github" {
|
2021-07-07 14:18:41 +02:00
|
|
|
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_github.yml",
|
2020-05-27 21:50:48 +02:00
|
|
|
"vault_github_oauth_app_client_id",
|
|
|
|
"vault_github_oauth_app_client_secret",
|
2020-10-21 20:14:43 +02:00
|
|
|
"--format", "json"]
|
2020-05-26 03:31:28 +02:00
|
|
|
}
|
|
|
|
|
2020-07-28 21:46:39 +02:00
|
|
|
data "external" "vault_monitoring" {
|
2021-07-07 14:18:41 +02:00
|
|
|
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_monitoring.yml",
|
2020-07-28 21:46:39 +02:00
|
|
|
"vault_monitoring_grafana_client_secret",
|
2020-10-21 20:14:43 +02:00
|
|
|
"--format", "json"]
|
2020-07-28 21:46:39 +02:00
|
|
|
}
|
|
|
|
|
2021-01-28 21:48:59 +01:00
|
|
|
data "external" "vault_hedgedoc" {
|
2021-07-07 14:18:41 +02:00
|
|
|
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_hedgedoc.yml",
|
2021-01-28 21:48:59 +01:00
|
|
|
"vault_hedgedoc_client_secret",
|
|
|
|
"--format", "json"]
|
|
|
|
}
|
|
|
|
|
2021-04-09 23:32:25 +02:00
|
|
|
data "external" "vault_matrix" {
|
2021-07-07 14:18:41 +02:00
|
|
|
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_matrix.yml",
|
2021-04-09 23:32:25 +02:00
|
|
|
"vault_matrix_openid_client_secret",
|
|
|
|
"--format", "json"]
|
|
|
|
}
|
|
|
|
|
2020-04-30 14:30:35 +02:00
|
|
|
provider "keycloak" {
|
|
|
|
client_id = "admin-cli"
|
2020-10-21 20:14:43 +02:00
|
|
|
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
|
|
|
|
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
|
|
|
|
url = "https://accounts.archlinux.org"
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
variable "gitlab_instance" {
|
|
|
|
default = {
|
2020-10-21 20:14:43 +02:00
|
|
|
root_url = "https://gitlab.archlinux.org"
|
2020-04-30 14:30:35 +02:00
|
|
|
saml_redirect_url = "https://gitlab.archlinux.org/users/auth/saml/callback"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-05-02 00:04:33 +02:00
|
|
|
resource "keycloak_realm" "archlinux" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm = "archlinux"
|
|
|
|
enabled = true
|
|
|
|
remember_me = true
|
|
|
|
display_name = "Arch Linux"
|
2020-08-29 04:39:17 +02:00
|
|
|
display_name_html = "<div class=\"kc-logo-text\"><span>Arch Linux</span></div>"
|
2020-04-30 14:30:35 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
reset_password_allowed = true
|
|
|
|
verify_email = true
|
2020-05-02 02:40:23 +02:00
|
|
|
login_with_email_allowed = true
|
2020-10-21 20:14:43 +02:00
|
|
|
password_policy = "length(8) and notUsername"
|
2020-09-18 06:14:30 +02:00
|
|
|
|
|
|
|
web_authn_policy {
|
|
|
|
relying_party_entity_name = "Arch Linux SSO"
|
|
|
|
relying_party_id = "accounts.archlinux.org"
|
2020-09-23 01:34:02 +02:00
|
|
|
signature_algorithms = ["ES256", "RS256", "ES512", "RS512"]
|
2020-09-18 06:14:30 +02:00
|
|
|
}
|
2020-04-30 14:30:35 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
login_theme = "archlinux"
|
2020-08-12 07:54:22 +02:00
|
|
|
account_theme = "archlinux"
|
2020-10-21 20:14:43 +02:00
|
|
|
admin_theme = "archlinux"
|
2020-07-30 04:06:24 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
browser_flow = "Arch Browser"
|
|
|
|
registration_flow = "Arch Registration"
|
2020-09-06 05:28:30 +02:00
|
|
|
reset_credentials_flow = "Arch Reset Credentials"
|
2020-05-24 00:19:00 +02:00
|
|
|
|
2020-04-30 14:30:35 +02:00
|
|
|
smtp_server {
|
2020-10-21 20:14:43 +02:00
|
|
|
host = "mail.archlinux.org"
|
|
|
|
from = "accounts@archlinux.org"
|
2020-12-20 17:28:19 +01:00
|
|
|
port = "465"
|
2020-04-30 14:30:35 +02:00
|
|
|
from_display_name = "Arch Linux Accounts"
|
2020-12-20 17:28:19 +01:00
|
|
|
ssl = true
|
|
|
|
starttls = false
|
2020-04-30 14:30:35 +02:00
|
|
|
|
|
|
|
auth {
|
2020-05-27 21:50:48 +02:00
|
|
|
username = data.external.vault_keycloak.result.vault_keycloak_smtp_user
|
|
|
|
password = data.external.vault_keycloak.result.vault_keycloak_smtp_password
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
}
|
2020-05-19 12:55:25 +02:00
|
|
|
|
|
|
|
security_defenses {
|
2020-05-26 03:31:28 +02:00
|
|
|
headers {
|
|
|
|
x_frame_options = "ALLOW-FROM https://www.google.com"
|
|
|
|
content_security_policy = "frame-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none';"
|
|
|
|
content_security_policy_report_only = ""
|
|
|
|
x_content_type_options = "nosniff"
|
|
|
|
x_robots_tag = "none"
|
|
|
|
x_xss_protection = "1; mode=block"
|
|
|
|
strict_transport_security = "max-age=31536000; includeSubDomains"
|
|
|
|
}
|
2020-05-19 12:55:25 +02:00
|
|
|
brute_force_detection {
|
2020-10-21 20:14:43 +02:00
|
|
|
permanent_lockout = false
|
|
|
|
max_login_failures = 30
|
|
|
|
wait_increment_seconds = 60
|
|
|
|
quick_login_check_milli_seconds = 1000
|
|
|
|
minimum_quick_login_wait_seconds = 60
|
|
|
|
max_failure_wait_seconds = 900
|
|
|
|
failure_reset_time_seconds = 43200
|
2020-05-19 12:55:25 +02:00
|
|
|
}
|
|
|
|
}
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
|
2020-09-26 11:00:31 +02:00
|
|
|
resource "keycloak_required_action" "custom-terms-and-conditions" {
|
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "terms_and_conditions"
|
|
|
|
default_action = true
|
|
|
|
enabled = true
|
|
|
|
name = "Terms and Conditions"
|
|
|
|
}
|
|
|
|
|
2020-09-23 01:34:02 +02:00
|
|
|
resource "keycloak_required_action" "configure_otp" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "CONFIGURE_TOTP"
|
|
|
|
enabled = true
|
|
|
|
name = "Configure OTP"
|
|
|
|
priority = 0
|
2020-09-23 01:34:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_required_action" "update_password" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "UPDATE_PASSWORD"
|
|
|
|
enabled = true
|
|
|
|
name = "Update Password"
|
|
|
|
priority = 20
|
2020-09-23 01:34:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_required_action" "update_profile" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "UPDATE_PROFILE"
|
|
|
|
enabled = true
|
|
|
|
name = "Update Profile"
|
|
|
|
priority = 30
|
2020-09-23 01:34:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_required_action" "verify_email" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "VERIFY_EMAIL"
|
|
|
|
enabled = true
|
|
|
|
name = "Verify Email"
|
|
|
|
priority = 40
|
2020-09-23 01:34:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_required_action" "update_user_locale" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "update_user_locale"
|
|
|
|
enabled = true
|
|
|
|
name = "Update User Locale"
|
|
|
|
priority = 50
|
2020-09-23 01:34:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_required_action" "webauthn_register" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "webauthn-register"
|
|
|
|
enabled = true
|
|
|
|
name = "Webauthn Register"
|
|
|
|
priority = 60
|
2020-09-18 06:15:14 +02:00
|
|
|
}
|
2020-07-31 13:20:44 +02:00
|
|
|
|
2020-07-17 17:04:09 +02:00
|
|
|
resource "keycloak_realm_events" "realm_events" {
|
|
|
|
realm_id = "archlinux"
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
events_enabled = true
|
|
|
|
events_expiration = 7889238 # 3 months
|
2020-07-17 17:04:09 +02:00
|
|
|
|
|
|
|
admin_events_enabled = true
|
|
|
|
admin_events_details_enabled = true
|
|
|
|
|
|
|
|
# When omitted or left empty, keycloak will enable all event types
|
|
|
|
enabled_event_types = [
|
|
|
|
]
|
|
|
|
|
|
|
|
events_listeners = [
|
2020-10-21 20:14:43 +02:00
|
|
|
"jboss-logging", # keycloak enables the 'jboss-logging' event listener by default.
|
2020-08-15 16:27:40 +02:00
|
|
|
"metrics-listener", # enable the prometheus exporter (keycloak-metrics-spi)
|
2020-07-17 17:04:09 +02:00
|
|
|
]
|
|
|
|
}
|
|
|
|
|
2020-05-27 21:50:48 +02:00
|
|
|
resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm = "archlinux"
|
|
|
|
alias = "github"
|
|
|
|
provider_id = "github"
|
|
|
|
authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
|
|
|
|
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
|
|
|
|
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
|
|
|
|
token_url = ""
|
|
|
|
default_scopes = ""
|
2020-06-30 04:25:39 +02:00
|
|
|
post_broker_login_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
enabled = false
|
|
|
|
trust_email = false
|
|
|
|
store_token = false
|
|
|
|
backchannel_supported = false
|
2020-05-27 21:50:48 +02:00
|
|
|
extra_config = {
|
|
|
|
syncMode = "IMPORT"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-30 14:30:35 +02:00
|
|
|
resource "keycloak_saml_client" "saml_gitlab" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-04-30 14:30:35 +02:00
|
|
|
client_id = "saml_gitlab"
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "Arch Linux Accounts"
|
2020-04-30 14:30:35 +02:00
|
|
|
enabled = true
|
|
|
|
|
2020-08-19 20:07:48 +02:00
|
|
|
signature_algorithm = "RSA_SHA256"
|
2020-10-21 20:14:43 +02:00
|
|
|
sign_documents = true
|
|
|
|
sign_assertions = true
|
2020-04-30 14:30:35 +02:00
|
|
|
|
|
|
|
valid_redirect_uris = [
|
|
|
|
var.gitlab_instance.saml_redirect_url
|
|
|
|
]
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
root_url = var.gitlab_instance.root_url
|
|
|
|
base_url = "/"
|
2020-05-23 13:20:46 +02:00
|
|
|
master_saml_processing_url = var.gitlab_instance.saml_redirect_url
|
2020-04-30 14:30:35 +02:00
|
|
|
idp_initiated_sso_url_name = "saml_gitlab"
|
|
|
|
|
|
|
|
assertion_consumer_post_url = var.gitlab_instance.saml_redirect_url
|
|
|
|
}
|
|
|
|
|
2020-05-02 02:40:23 +02:00
|
|
|
// This client is only used for the return URL redirect hack!
|
|
|
|
// See roles/gitlab/tasks/main.yml
|
|
|
|
resource "keycloak_openid_client" "openid_gitlab" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-02 02:40:23 +02:00
|
|
|
client_id = "openid_gitlab"
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "Arch Linux Accounts"
|
2020-05-02 02:40:23 +02:00
|
|
|
enabled = true
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
access_type = "PUBLIC"
|
2020-05-02 02:40:23 +02:00
|
|
|
standard_flow_enabled = true
|
2020-10-21 20:14:43 +02:00
|
|
|
full_scope_allowed = false
|
2020-05-02 02:40:23 +02:00
|
|
|
valid_redirect_uris = [
|
|
|
|
"https://gitlab.archlinux.org"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
|
2020-04-30 14:30:35 +02:00
|
|
|
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-04-30 14:30:35 +02:00
|
|
|
client_id = keycloak_saml_client.saml_gitlab.id
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "email"
|
|
|
|
user_property = "Email"
|
|
|
|
friendly_name = "Email"
|
|
|
|
saml_attribute_name = "email"
|
2020-04-30 14:30:35 +02:00
|
|
|
saml_attribute_name_format = "Basic"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-04-30 14:30:35 +02:00
|
|
|
client_id = keycloak_saml_client.saml_gitlab.id
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "first_name"
|
|
|
|
user_property = "FirstName"
|
|
|
|
friendly_name = "First Name"
|
|
|
|
saml_attribute_name = "first_name"
|
2020-04-30 14:30:35 +02:00
|
|
|
saml_attribute_name_format = "Basic"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_last_name" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-04-30 14:30:35 +02:00
|
|
|
client_id = keycloak_saml_client.saml_gitlab.id
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "last_name"
|
|
|
|
user_property = "LastName"
|
|
|
|
friendly_name = "Last Name"
|
|
|
|
saml_attribute_name = "last_name"
|
2020-05-02 06:40:14 +02:00
|
|
|
saml_attribute_name_format = "Basic"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_username" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-02 06:40:14 +02:00
|
|
|
client_id = keycloak_saml_client.saml_gitlab.id
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "username"
|
|
|
|
user_property = "Username"
|
|
|
|
friendly_name = "Username"
|
|
|
|
saml_attribute_name = "username"
|
2020-04-30 14:30:35 +02:00
|
|
|
saml_attribute_name_format = "Basic"
|
|
|
|
}
|
|
|
|
|
2020-05-23 13:18:43 +02:00
|
|
|
// This is the super group in which we put the other Arch groups.
|
|
|
|
// We want to end up with this structure:
|
|
|
|
// Arch Linux Staff
|
|
|
|
// |- DevOps
|
|
|
|
// |- Developers
|
|
|
|
// |- Trusted Users
|
2020-08-22 13:59:42 +02:00
|
|
|
// |- Wiki
|
2020-09-19 01:43:04 +02:00
|
|
|
// | |- Admins
|
2020-08-22 13:59:42 +02:00
|
|
|
// |- Forum
|
2020-09-19 01:43:04 +02:00
|
|
|
// | |- Admins
|
|
|
|
// | |- Mods
|
2020-08-22 13:59:42 +02:00
|
|
|
// |- Security Team
|
2020-09-19 01:43:04 +02:00
|
|
|
// | |- Admins
|
|
|
|
// | |- Members
|
|
|
|
// |- IRC
|
|
|
|
// | |- Ops
|
2020-08-22 13:59:42 +02:00
|
|
|
// |- Archweb
|
2020-09-19 01:43:04 +02:00
|
|
|
// | |- Mirrorlist Maintainers
|
|
|
|
// |- Bug Wranglers
|
2020-05-23 13:18:43 +02:00
|
|
|
// External Contributors
|
2020-09-19 01:43:04 +02:00
|
|
|
// |- Security Team
|
|
|
|
// | |- Reporters
|
|
|
|
// |- Archweb
|
|
|
|
// |- Testers
|
2020-05-22 23:51:34 +02:00
|
|
|
resource "keycloak_group" "staff" {
|
2020-05-19 17:28:28 +02:00
|
|
|
realm_id = "archlinux"
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "Arch Linux Staff"
|
2020-05-19 17:28:28 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "staff_groups" {
|
|
|
|
for_each = toset(["DevOps", "Developers", "Trusted Users", "Wiki", "Forum", "Security Team", "IRC", "Archweb", "Bug Wranglers"])
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.staff.id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-05-23 13:18:43 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "staff_wiki_groups" {
|
|
|
|
for_each = toset(["Admins"])
|
2020-08-22 13:59:42 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.staff_groups["Wiki"].id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-08-22 13:59:42 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "staff_forum_groups" {
|
|
|
|
for_each = toset(["Admins", "Mods"])
|
2020-08-22 13:59:42 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.staff_groups["Forum"].id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-08-22 13:59:42 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "staff_securityteam_groups" {
|
|
|
|
for_each = toset(["Admins", "Members"])
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.staff_groups["Security Team"].id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "staff_irc_groups" {
|
|
|
|
for_each = toset(["Ops"])
|
2020-04-30 14:30:35 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.staff_groups["IRC"].id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "staff_archweb_groups" {
|
|
|
|
for_each = toset(["Mirrorlist Maintainers"])
|
2020-08-22 13:59:42 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.staff_groups["Archweb"].id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-08-22 13:59:42 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "externalcontributors" {
|
|
|
|
realm_id = "archlinux"
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "External Contributors"
|
2020-09-19 01:43:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_group" "externalcontributors_groups" {
|
|
|
|
for_each = toset(["Security Team", "Archweb"])
|
2020-08-22 13:59:42 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.externalcontributors.id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-08-22 13:59:42 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "externalcontributors_securityteam_groups" {
|
|
|
|
for_each = toset(["Reporters"])
|
2020-08-22 13:59:42 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.externalcontributors_groups["Security Team"].id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-08-22 13:59:42 +02:00
|
|
|
}
|
|
|
|
|
2020-09-19 01:43:04 +02:00
|
|
|
resource "keycloak_group" "externalcontributors_archweb_groups" {
|
|
|
|
for_each = toset(["Testers"])
|
2020-08-22 13:59:42 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
parent_id = keycloak_group.externalcontributors_groups["Archweb"].id
|
2020-10-21 20:14:43 +02:00
|
|
|
name = each.value
|
2020-08-22 13:59:42 +02:00
|
|
|
}
|
|
|
|
|
2020-04-30 14:30:35 +02:00
|
|
|
resource "keycloak_role" "devops" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
name = "DevOps"
|
2020-05-22 23:51:34 +02:00
|
|
|
description = "Role held by members of the DevOps group"
|
2020-04-30 14:30:35 +02:00
|
|
|
}
|
|
|
|
|
2020-05-22 23:51:34 +02:00
|
|
|
resource "keycloak_role" "staff" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
name = "Staff"
|
2020-05-22 23:51:34 +02:00
|
|
|
description = "Role held by all Arch Linux staff"
|
|
|
|
}
|
|
|
|
|
2020-05-23 18:20:58 +02:00
|
|
|
resource "keycloak_role" "externalcontributor" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
name = "External Contributor"
|
2020-05-23 13:18:43 +02:00
|
|
|
description = "Role held by external contributors working on Arch Linux projects without further access"
|
|
|
|
}
|
|
|
|
|
2020-05-22 23:51:34 +02:00
|
|
|
resource "keycloak_group_roles" "devops" {
|
2020-05-02 00:04:33 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-19 01:43:04 +02:00
|
|
|
group_id = keycloak_group.staff_groups["DevOps"].id
|
2020-04-30 14:30:35 +02:00
|
|
|
role_ids = [
|
2021-07-06 20:41:01 +02:00
|
|
|
keycloak_role.devops.id
|
2020-04-30 14:30:35 +02:00
|
|
|
]
|
|
|
|
}
|
|
|
|
|
2020-05-22 23:51:34 +02:00
|
|
|
resource "keycloak_group_roles" "staff" {
|
|
|
|
realm_id = "archlinux"
|
|
|
|
group_id = keycloak_group.staff.id
|
|
|
|
role_ids = [
|
2021-04-08 21:01:22 +02:00
|
|
|
keycloak_role.staff.id
|
2020-05-22 23:51:34 +02:00
|
|
|
]
|
|
|
|
}
|
|
|
|
|
2020-05-23 18:20:58 +02:00
|
|
|
resource "keycloak_group_roles" "externalcontributor" {
|
2020-05-23 13:18:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-23 18:20:58 +02:00
|
|
|
group_id = keycloak_group.externalcontributors.id
|
2020-05-23 13:18:43 +02:00
|
|
|
role_ids = [
|
2020-05-23 18:20:58 +02:00
|
|
|
keycloak_role.externalcontributor.id
|
2020-05-23 13:18:43 +02:00
|
|
|
]
|
|
|
|
}
|
|
|
|
|
2020-05-26 03:31:28 +02:00
|
|
|
// Add new custom registration flow with reCAPTCHA
|
|
|
|
resource "keycloak_authentication_flow" "arch_registration_flow" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Arch Registration"
|
2020-05-26 03:31:28 +02:00
|
|
|
description = "Customized Registration flow that forces enables ReCAPTCHA."
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_subflow" "registration_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Registration Form"
|
2020-05-26 03:31:28 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_registration_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
provider_id = "form-flow"
|
|
|
|
authenticator = "registration-page-form"
|
|
|
|
requirement = "REQUIRED"
|
2020-05-26 03:31:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution" "registration_user_creation" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-26 03:31:28 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "registration-user-creation"
|
|
|
|
requirement = "REQUIRED"
|
2020-05-26 03:31:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution" "registration_profile_action" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-26 03:31:28 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "registration-profile-action"
|
|
|
|
requirement = "REQUIRED"
|
|
|
|
depends_on = [keycloak_authentication_execution.registration_user_creation]
|
2020-05-26 03:31:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution" "registration_password_action" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-26 03:31:28 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "registration-password-action"
|
|
|
|
requirement = "REQUIRED"
|
|
|
|
depends_on = [keycloak_authentication_execution.registration_profile_action]
|
2020-05-26 03:31:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution" "registration_recaptcha_action" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-26 03:31:28 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "registration-recaptcha-action"
|
|
|
|
requirement = "REQUIRED"
|
|
|
|
depends_on = [keycloak_authentication_execution.registration_password_action]
|
2020-05-26 03:31:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution_config" "registration_recaptcha_action_config" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "reCAPTCHA config"
|
2020-05-26 03:31:28 +02:00
|
|
|
execution_id = keycloak_authentication_execution.registration_recaptcha_action.id
|
|
|
|
config = {
|
|
|
|
"useRecaptchaNet" = "false",
|
2020-10-21 20:14:43 +02:00
|
|
|
"site.key" = data.external.vault_google.result.vault_google_recaptcha_site_key
|
|
|
|
"secret" = data.external.vault_google.result.vault_google_recaptcha_secret_key
|
2020-05-26 03:31:28 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
// Add new custom browser login flow with WebAuthn support and forced OTP.
|
2020-05-26 03:31:28 +02:00
|
|
|
//
|
2020-05-23 18:20:58 +02:00
|
|
|
// Try misc/kcadm_wrapper.sh get authentication/flows/{{ your flow alias}}/executions
|
|
|
|
// to make this a whole lot easier.
|
2020-05-24 00:19:00 +02:00
|
|
|
// NOTE: We use the `depends_on` calls to properly order the executions and subflows inside the
|
|
|
|
// flow. This has to be done until https://github.com/mrparkers/terraform-provider-keycloak/issues/296
|
|
|
|
// is fixed. :(
|
2020-05-25 18:06:21 +02:00
|
|
|
// We want to end up with something like this:
|
|
|
|
//
|
|
|
|
// Arch Browser flow
|
|
|
|
// |- Cookie (A)
|
|
|
|
// |- Identity Provider Redirector (A)
|
2020-07-31 13:20:44 +02:00
|
|
|
// |- Password and 2FA Subflow (A)
|
2020-05-25 18:06:21 +02:00
|
|
|
// |- Username Password Form (R)
|
2020-07-31 13:20:44 +02:00
|
|
|
// |- 2FA Subflow (R)
|
2020-09-06 05:28:30 +02:00
|
|
|
// |- WebAuthn Authenticator (A)
|
|
|
|
// |- OTP Form (A)
|
|
|
|
// |- OTP Default Subflow (A)
|
|
|
|
// |- OTP Form (R)
|
2020-06-30 04:25:39 +02:00
|
|
|
//
|
|
|
|
// IMPORTANT NOTE: Sometimes when changing Authentication Flows via Terraform or UI, flows can become orphaned in which
|
|
|
|
// case they'll hang around the database doing nothing useful and blocking alias names and causing 409 CONFLICTS. If such
|
|
|
|
// a thing happens, you'll have to get dirty and and manually clean up the authentication_flows and authentication_executions
|
|
|
|
// tables on the Keycloak Postgres DB! Quality Red Hat software right there.
|
2020-05-25 18:06:21 +02:00
|
|
|
|
2020-05-23 18:20:58 +02:00
|
|
|
resource "keycloak_authentication_flow" "arch_browser_flow" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Arch Browser"
|
2020-09-06 05:28:30 +02:00
|
|
|
description = "Customized Browser flow that forces 2FA."
|
2020-05-23 18:20:58 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution" "cookie" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-23 18:20:58 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-cookie"
|
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_flow.arch_browser_flow]
|
2020-05-23 18:20:58 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution" "identity_provider_redirector" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-05-23 18:20:58 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "identity-provider-redirector"
|
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.cookie]
|
2020-05-23 18:20:58 +02:00
|
|
|
}
|
|
|
|
|
2020-07-31 13:20:44 +02:00
|
|
|
resource "keycloak_authentication_subflow" "password_and_2fa" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Password and 2FA subflow"
|
2020-05-23 18:20:58 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.identity_provider_redirector]
|
2020-05-23 18:20:58 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_authentication_execution" "username_password_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-07-31 13:20:44 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-username-password-form"
|
|
|
|
requirement = "REQUIRED"
|
2020-05-23 18:20:58 +02:00
|
|
|
}
|
|
|
|
|
2020-07-31 13:20:44 +02:00
|
|
|
resource "keycloak_authentication_subflow" "_2fa" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "2FA subflow"
|
2020-07-31 13:20:44 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
requirement = "REQUIRED"
|
|
|
|
depends_on = [keycloak_authentication_execution.username_password_form]
|
2020-05-23 18:20:58 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "webauthn_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-07-31 13:20:44 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "webauthn-authenticator"
|
|
|
|
requirement = "ALTERNATIVE"
|
2020-05-25 18:06:21 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "otp_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-07-31 13:20:44 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-otp-form"
|
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.webauthn_form]
|
2020-07-31 13:20:44 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_subflow" "otp_default" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "OTP Default Subflow"
|
2020-07-31 13:20:44 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.otp_form]
|
2020-05-24 03:21:44 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "otp_default_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.otp_default.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-otp-form"
|
|
|
|
requirement = "REQUIRED"
|
2020-05-24 03:21:44 +02:00
|
|
|
}
|
|
|
|
|
2020-06-30 04:25:39 +02:00
|
|
|
// Add new custom post-Identity Provider login flow with forced OTP for some user roles
|
|
|
|
//
|
|
|
|
// Arch Post IPR Flow
|
2020-09-06 05:28:30 +02:00
|
|
|
// |- WebAuthn Form (A)
|
|
|
|
// |- OTP Form (A)
|
|
|
|
// |- IPR OTP Default Subflow (A)
|
|
|
|
// |- OTP Form (R)
|
2020-06-30 04:25:39 +02:00
|
|
|
|
|
|
|
resource "keycloak_authentication_flow" "arch_post_ipr_flow" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Arch Post IPR Flow"
|
2020-09-06 05:28:30 +02:00
|
|
|
description = "Post IPR login flow that forces 2FA."
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "ipr_webauthn_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-06-30 04:25:39 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "webauthn-authenticator"
|
|
|
|
requirement = "ALTERNATIVE"
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "ipr_otp_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-otp-form"
|
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.ipr_webauthn_form]
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_subflow" "ipr_otp_default" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "IPR OTP Default Subflow"
|
2020-06-30 04:25:39 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.ipr_otp_form]
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "ipr_otp_default_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.ipr_otp_default.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-otp-form"
|
|
|
|
requirement = "REQUIRED"
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
// Add new custom Reset Credentials flow that asks users to verify 2FA before resetting their password
|
|
|
|
//
|
|
|
|
// Arch Reset Credentials
|
|
|
|
// |- Choose User (R)
|
|
|
|
// |- Send Reset Email (R)
|
|
|
|
// |- Conditional Reset Credentials 2FA Subflow (C)
|
|
|
|
// |- Condition - User Configured (R)
|
|
|
|
// |- Reset Credentials 2FA Subflow (R)
|
|
|
|
// |- WebAuthn Form (A)
|
|
|
|
// |- OTP Form (A)
|
|
|
|
// |- Reset Credentials OTP Default Subflow (A)
|
|
|
|
// |- OTP Form (R)
|
|
|
|
// |- Reset Password (R)
|
2020-06-30 04:25:39 +02:00
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_flow" "arch_reset_credentials_flow" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Arch Reset Credentials"
|
2020-09-06 05:28:30 +02:00
|
|
|
description = "Reset credentials flow that forces 2FA verification before password reset."
|
2020-07-31 13:20:44 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "rc_choose_user" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "reset-credentials-choose-user"
|
|
|
|
requirement = "REQUIRED"
|
2020-07-31 17:19:51 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "rc_reset_email" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "reset-credential-email"
|
|
|
|
requirement = "REQUIRED"
|
|
|
|
depends_on = [keycloak_authentication_execution.rc_choose_user]
|
2020-07-31 17:19:51 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_subflow" "rc_conditional_2fa" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Conditional Reset Credentials 2FA Subflow"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
requirement = "CONDITIONAL"
|
|
|
|
depends_on = [keycloak_authentication_execution.rc_choose_user]
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "rc_2fa_condition" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "conditional-user-configured"
|
|
|
|
requirement = "REQUIRED"
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_subflow" "rc_2fa" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Reset Credentials 2FA Subflow"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
requirement = "REQUIRED"
|
|
|
|
depends_on = [keycloak_authentication_execution.rc_2fa_condition]
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "rc_webauthn_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "webauthn-authenticator"
|
|
|
|
requirement = "ALTERNATIVE"
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "rc_otp_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-otp-form"
|
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.rc_webauthn_form]
|
2020-07-31 13:20:44 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_subflow" "rc_otp_default" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
alias = "Reset Credentials OTP Default Subflow"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
requirement = "ALTERNATIVE"
|
|
|
|
depends_on = [keycloak_authentication_execution.rc_otp_form]
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "rc_otp_default_form" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_subflow.rc_otp_default.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "auth-otp-form"
|
|
|
|
requirement = "REQUIRED"
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-09-06 05:28:30 +02:00
|
|
|
resource "keycloak_authentication_execution" "rc_reset_password" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
2020-09-06 05:28:30 +02:00
|
|
|
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
|
2020-10-21 20:14:43 +02:00
|
|
|
authenticator = "reset-password"
|
|
|
|
requirement = "REQUIRED"
|
|
|
|
depends_on = [keycloak_authentication_subflow.rc_conditional_2fa]
|
2020-06-30 04:25:39 +02:00
|
|
|
}
|
|
|
|
|
2020-04-30 14:30:35 +02:00
|
|
|
output "gitlab_saml_configuration" {
|
|
|
|
value = {
|
2020-10-21 20:14:43 +02:00
|
|
|
issuer = keycloak_saml_client.saml_gitlab.client_id
|
|
|
|
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
|
|
|
|
admin_groups = [keycloak_role.devops.name]
|
|
|
|
idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
|
2020-04-30 14:30:35 +02:00
|
|
|
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
|
|
|
|
}
|
|
|
|
}
|
2020-07-28 21:46:39 +02:00
|
|
|
|
|
|
|
resource "keycloak_openid_client" "grafana_openid_client" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
client_id = "openid_grafana"
|
|
|
|
client_secret = data.external.vault_monitoring.result.vault_monitoring_grafana_client_secret
|
2020-07-28 21:46:39 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
name = "Grafana"
|
2020-07-28 21:46:39 +02:00
|
|
|
enabled = true
|
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
access_type = "CONFIDENTIAL"
|
2020-07-28 21:46:39 +02:00
|
|
|
standard_flow_enabled = true
|
|
|
|
valid_redirect_uris = [
|
|
|
|
"https://monitoring.archlinux.org",
|
|
|
|
"https://monitoring.archlinux.org/login/generic_oauth"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" {
|
2020-10-21 20:14:43 +02:00
|
|
|
realm_id = "archlinux"
|
|
|
|
client_id = keycloak_openid_client.grafana_openid_client.id
|
|
|
|
name = "user realms"
|
2020-07-28 21:46:39 +02:00
|
|
|
|
2020-10-21 20:14:43 +02:00
|
|
|
claim_name = "roles"
|
|
|
|
multivalued = true
|
|
|
|
add_to_id_token = false
|
2020-07-28 21:46:39 +02:00
|
|
|
add_to_access_token = false
|
|
|
|
}
|
2020-12-10 22:11:28 +01:00
|
|
|
|
2021-01-28 21:48:59 +01:00
|
|
|
resource "keycloak_openid_client" "hedgedoc_openid_client" {
|
|
|
|
realm_id = "archlinux"
|
|
|
|
client_id = "openid_hedgedoc"
|
|
|
|
client_secret = data.external.vault_hedgedoc.result.vault_hedgedoc_client_secret
|
|
|
|
|
|
|
|
name = "Hedgedoc"
|
|
|
|
enabled = true
|
|
|
|
|
|
|
|
access_type = "CONFIDENTIAL"
|
|
|
|
standard_flow_enabled = true
|
|
|
|
valid_redirect_uris = [
|
|
|
|
"https://md.archlinux.org/*",
|
|
|
|
]
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_openid_user_realm_role_protocol_mapper" "hedgedoc_user_realm_role_mapper" {
|
|
|
|
realm_id = "archlinux"
|
|
|
|
client_id = keycloak_openid_client.hedgedoc_openid_client.id
|
|
|
|
name = "user realms"
|
|
|
|
|
|
|
|
claim_name = "roles"
|
|
|
|
multivalued = true
|
|
|
|
add_to_id_token = false
|
|
|
|
add_to_access_token = false
|
|
|
|
}
|
2021-04-09 23:32:25 +02:00
|
|
|
|
|
|
|
resource "keycloak_openid_client" "matrix_openid_client" {
|
|
|
|
realm_id = "archlinux"
|
|
|
|
client_id = "openid_matrix"
|
|
|
|
client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret
|
|
|
|
|
|
|
|
name = "Matrix"
|
|
|
|
enabled = true
|
|
|
|
|
|
|
|
access_type = "CONFIDENTIAL"
|
|
|
|
standard_flow_enabled = true
|
|
|
|
valid_redirect_uris = [
|
|
|
|
"https://matrix.archlinux.org/_synapse/client/oidc/callback"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "keycloak_openid_user_realm_role_protocol_mapper" "matrix_user_realm_role_mapper" {
|
|
|
|
realm_id = "archlinux"
|
|
|
|
client_id = keycloak_openid_client.matrix_openid_client.id
|
|
|
|
name = "user realms"
|
|
|
|
|
|
|
|
claim_name = "roles"
|
|
|
|
multivalued = true
|
2021-04-15 15:02:53 +02:00
|
|
|
add_to_id_token = true
|
2021-04-09 23:32:25 +02:00
|
|
|
add_to_access_token = false
|
|
|
|
}
|