mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-06 14:36:09 +02:00
Code Issues
infrastructure/tf-stage2/keycloak.tf
Kristian Klausen e128cd0f4c
tf-stage2: Update code to reflect that Keycloak registration is disabled 
Registration has been disabled since 2023-07-09, so the code should have
been updated a long time ago.
2024-03-23 15:13:38 +01:00

1058 lines
32 KiB
HCL
Raw Permalink Blame History

terraform {
backend "pg" {
schema_name = "terraform_remote_state_stage2"
}
}
data "external" "vault_keycloak" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_keycloak.yml",
"vault_keycloak_admin_user",
"vault_keycloak_admin_password",
"vault_keycloak_smtp_user",
"vault_keycloak_smtp_password",
"vault_keycloak_gluebuddy_openid_client_secret",
"--format", "json"]
}
data "external" "vault_hcaptcha" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../misc/vaults/vault_hcaptcha.yml",
"vault_hcaptcha_accounts_archlinux_org_sitekey",
"vault_hcaptcha_secret_key",
"--format", "json"]
}
data "external" "vault_github" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_github.yml",
"vault_github_oauth_app_client_id",
"vault_github_oauth_app_client_secret",
"--format", "json"]
}
data "external" "vault_monitoring" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_monitoring.yml",
"vault_monitoring_grafana_client_secret",
"--format", "json"]
}
data "external" "vault_hedgedoc" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_hedgedoc.yml",
"vault_hedgedoc_client_secret",
"--format", "json"]
}
data "external" "vault_matrix" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_matrix.yml",
"vault_matrix_openid_client_secret",
"--format", "json"]
}
data "external" "vault_security_tracker" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_security_tracker.yml",
"vault_security_tracker_openid_client_secret",
"--format", "json"]
}
provider "keycloak" {
client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
url = "https://accounts.archlinux.org"
}
variable "gitlab_instance" {
default = {
root_url = "https://gitlab.archlinux.org"
saml_redirect_url = "https://gitlab.archlinux.org/users/auth/saml/callback"
}
}
resource "keycloak_realm" "archlinux" {
realm = "archlinux"
enabled = true
remember_me = true
display_name = "Arch Linux"
display_name_html = "<div class=\"kc-logo-text\"><span>Arch Linux</span></div>"
registration_allowed = false
reset_password_allowed = true
verify_email = true
login_with_email_allowed = true
password_policy = "length(8) and notUsername"
web_authn_policy {
relying_party_entity_name = "Arch Linux SSO"
relying_party_id = "accounts.archlinux.org"
signature_algorithms = ["ES256", "RS256", "ES512", "RS512"]
}
login_theme = "archlinux"
account_theme = "archlinux"
admin_theme = "archlinux"
email_theme = "archlinux"
browser_flow = "Arch Browser"
registration_flow = "Arch Registration"
reset_credentials_flow = "Arch Reset Credentials"
smtp_server {
host = "mail.archlinux.org"
from = "accounts@archlinux.org"
port = "465"
from_display_name = "Arch Linux Accounts"
ssl = true
starttls = false
auth {
username = data.external.vault_keycloak.result.vault_keycloak_smtp_user
password = data.external.vault_keycloak.result.vault_keycloak_smtp_password
}
}
security_defenses {
headers {
x_frame_options = "ALLOW-FROM https://www.google.com https://newassets.hcaptcha.com"
content_security_policy = "frame-src 'self' https://www.google.com https://newassets.hcaptcha.com; frame-ancestors 'self'; object-src 'none';"
content_security_policy_report_only = ""
x_content_type_options = "nosniff"
x_robots_tag = "none"
x_xss_protection = "1; mode=block"
strict_transport_security = "max-age=31536000; includeSubDomains"
}
brute_force_detection {
permanent_lockout = false
max_login_failures = 30
wait_increment_seconds = 60
quick_login_check_milli_seconds = 1000
minimum_quick_login_wait_seconds = 60
max_failure_wait_seconds = 900
failure_reset_time_seconds = 43200
}
}
attributes = {
userProfileEnabled = true
}
}
resource "keycloak_realm_user_profile" "archlinux" {
realm_id = keycloak_realm.archlinux.id
attribute {
name = "username"
display_name = "$${username}"
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "length"
config = {
min = 3
max = 255
}
}
validator {
name = "username-prohibited-characters"
}
validator {
name = "up-username-not-idn-homograph"
}
}
attribute {
name = "email"
display_name = "$${email}"
required_for_roles = ["user"]
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "email"
}
validator {
name = "length"
config = {
max = 255
}
}
}
attribute {
name = "firstName"
display_name = "$${firstName}"
required_for_roles = ["user"]
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "length"
config = {
max = 255
}
}
validator {
name = "person-name-prohibited-characters"
}
}
attribute {
name = "lastName"
display_name = "$${lastName}"
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "length"
config = {
max = 255
}
}
validator {
name = "person-name-prohibited-characters"
}
}
attribute {
name = "archQuestion"
display_name = "What is the output of: LC_ALL=C pacman -V|tail -n3|base32|head -1 ?"
required_for_roles = ["user"]
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "pattern"
config = {
pattern = "^EAQCAIBAEAQCAIBAEAQCAIBAEAQCAIBAEAQCAVDINFZSA4DSN5TXEYLNEBWWC6JAMJSSAZTSMVSW$"
error-message = "Nope"
}
}
}
}
resource "keycloak_required_action" "custom-terms-and-conditions" {
realm_id = "archlinux"
alias = "TERMS_AND_CONDITIONS"
default_action = true
enabled = true
name = "Terms and Conditions"
}
resource "keycloak_required_action" "configure_otp" {
realm_id = "archlinux"
alias = "CONFIGURE_TOTP"
default_action = true
enabled = true
name = "Configure OTP"
priority = 0
}
resource "keycloak_required_action" "update_password" {
realm_id = "archlinux"
alias = "UPDATE_PASSWORD"
enabled = true
name = "Update Password"
priority = 20
}
resource "keycloak_required_action" "update_profile" {
realm_id = "archlinux"
alias = "UPDATE_PROFILE"
enabled = true
name = "Update Profile"
priority = 30
}
resource "keycloak_required_action" "verify_email" {
realm_id = "archlinux"
alias = "VERIFY_EMAIL"
enabled = true
name = "Verify Email"
priority = 40
}
resource "keycloak_required_action" "update_user_locale" {
realm_id = "archlinux"
alias = "update_user_locale"
enabled = true
name = "Update User Locale"
priority = 50
}
resource "keycloak_required_action" "webauthn_register" {
realm_id = "archlinux"
alias = "webauthn-register"
enabled = true
name = "Webauthn Register"
priority = 60
}
resource "keycloak_required_action" "verify_profile" {
realm_id = "archlinux"
alias = "VERIFY_PROFILE"
default_action = true
enabled = true
name = "Verify Profile"
priority = 70
}
resource "keycloak_realm_events" "realm_events" {
realm_id = "archlinux"
events_enabled = true
events_expiration = 7889238 # 3 months
admin_events_enabled = true
admin_events_details_enabled = true
# When omitted or left empty, keycloak will enable all event types
enabled_event_types = [
]
events_listeners = [
"jboss-logging", # keycloak enables the 'jboss-logging' event listener by default.
"metrics-listener", # enable the prometheus exporter (keycloak-metrics-spi)
]
}
resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
realm = "archlinux"
alias = "github"
provider_id = "github"
authorization_url = "https://accounts.archlinux.org/realms/archlinux/broker/github/endpoint"
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
token_url = ""
default_scopes = ""
post_broker_login_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
enabled = true
trust_email = false
store_token = false
backchannel_supported = false
sync_mode = "IMPORT"
}
resource "keycloak_saml_client" "saml_gitlab" {
realm_id = "archlinux"
client_id = "saml_gitlab"
name = "Arch Linux GitLab"
enabled = true
signature_algorithm = "RSA_SHA256"
sign_documents = true
sign_assertions = true
valid_redirect_uris = [
var.gitlab_instance.saml_redirect_url
]
root_url = var.gitlab_instance.root_url
base_url = "/"
master_saml_processing_url = var.gitlab_instance.saml_redirect_url
idp_initiated_sso_url_name = "saml_gitlab"
front_channel_logout = false
assertion_consumer_post_url = var.gitlab_instance.saml_redirect_url
}
// This client is only used for the return URL redirect hack!
// See roles/gitlab/tasks/main.yml
resource "keycloak_openid_client" "openid_gitlab" {
realm_id = "archlinux"
client_id = "openid_gitlab"
name = "Arch Linux Accounts"
enabled = true
access_type = "PUBLIC"
standard_flow_enabled = true
use_refresh_tokens = false
full_scope_allowed = false
valid_redirect_uris = [
"https://gitlab.archlinux.org"
]
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "email"
user_property = "Email"
friendly_name = "Email"
saml_attribute_name = "email"
saml_attribute_name_format = "Basic"
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_first_name" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "first_name"
user_property = "FirstName"
friendly_name = "First Name"
saml_attribute_name = "first_name"
saml_attribute_name_format = "Basic"
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_last_name" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "last_name"
user_property = "LastName"
friendly_name = "Last Name"
saml_attribute_name = "last_name"
saml_attribute_name_format = "Basic"
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_username" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
name = "username"
user_property = "Username"
friendly_name = "Username"
saml_attribute_name = "username"
saml_attribute_name_format = "Basic"
}
// This is the super group in which we put the other Arch groups.
// We want to end up with this structure:
// Arch Linux Staff
// |- DevOps
// |- Developers
// |- Trusted Users
// |- Wiki
// | |- Admins
// | |- Maintainers
// |- Forum
// | |- Admins
// | |- Mods
// |- Security Team
// | |- Admins
// | |- Members
// |- Package Maintainer Team
// | |- Core Package Maintainers
// | |- Junior Core Package Maintainers
// | |- Package Maintainers
// | |- Junior Package Maintainers
// |- IRC
// | |- Ops
// |- Archweb
// | |- Mirrorlist Maintainers
// |- Bug Wranglers
// |- Project Maintainers
// External Contributors
// |- Security Team
// | |- Reporters
// |- Archweb
// |- Testers
resource "keycloak_group" "staff" {
realm_id = "archlinux"
name = "Arch Linux Staff"
}
resource "keycloak_group" "staff_groups" {
for_each = toset(["DevOps", "Developers", "Trusted Users", "Wiki", "Forum", "Security Team", "IRC", "Archweb", "Bug Wranglers", "Project Maintainers", "Package Maintainer Team"])
realm_id = "archlinux"
parent_id = keycloak_group.staff.id
name = each.value
}
resource "keycloak_group" "staff_wiki_groups" {
for_each = toset(["Admins", "Maintainers"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Wiki"].id
name = each.value
}
resource "keycloak_group" "staff_forum_groups" {
for_each = toset(["Admins", "Mods"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Forum"].id
name = each.value
}
resource "keycloak_group" "staff_securityteam_groups" {
for_each = toset(["Admins", "Members"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Security Team"].id
name = each.value
}
resource "keycloak_group" "staff_package_maintainer_groups" {
for_each = toset(["Core Package Maintainers", "Junior Core Package Maintainers", "Package Maintainers", "Junior Package Maintainers"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Package Maintainer Team"].id
name = each.value
}
resource "keycloak_group" "staff_irc_groups" {
for_each = toset(["Ops"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["IRC"].id
name = each.value
}
resource "keycloak_group" "staff_archweb_groups" {
for_each = toset(["Mirrorlist Maintainers"])
realm_id = "archlinux"
parent_id = keycloak_group.staff_groups["Archweb"].id
name = each.value
}
resource "keycloak_group" "externalcontributors" {
realm_id = "archlinux"
name = "External Contributors"
}
resource "keycloak_group" "externalcontributors_groups" {
for_each = toset(["Security Team", "Archweb"])
realm_id = "archlinux"
parent_id = keycloak_group.externalcontributors.id
name = each.value
}
resource "keycloak_group" "externalcontributors_securityteam_groups" {
for_each = toset(["Reporters"])
realm_id = "archlinux"
parent_id = keycloak_group.externalcontributors_groups["Security Team"].id
name = each.value
}
resource "keycloak_group" "externalcontributors_archweb_groups" {
for_each = toset(["Testers"])
realm_id = "archlinux"
parent_id = keycloak_group.externalcontributors_groups["Archweb"].id
name = each.value
}
resource "keycloak_role" "devops" {
realm_id = "archlinux"
name = "DevOps"
description = "Role held by members of the DevOps group"
}
resource "keycloak_role" "staff" {
realm_id = "archlinux"
name = "Staff"
description = "Role held by all Arch Linux staff"
}
resource "keycloak_role" "externalcontributor" {
realm_id = "archlinux"
name = "External Contributor"
description = "Role held by external contributors working on Arch Linux projects without further access"
}
resource "keycloak_group_roles" "devops" {
realm_id = "archlinux"
group_id = keycloak_group.staff_groups["DevOps"].id
role_ids = [
keycloak_role.devops.id
]
}
resource "keycloak_group_roles" "staff" {
realm_id = "archlinux"
group_id = keycloak_group.staff.id
role_ids = [
keycloak_role.staff.id
]
}
resource "keycloak_group_roles" "externalcontributor" {
realm_id = "archlinux"
group_id = keycloak_group.externalcontributors.id
role_ids = [
keycloak_role.externalcontributor.id
]
}
// Add new custom registration flow with hCaptcha
resource "keycloak_authentication_flow" "arch_registration_flow" {
realm_id = "archlinux"
alias = "Arch Registration"
description = "Customized Registration flow that forces enables hCaptcha."
}
resource "keycloak_authentication_subflow" "registration_form" {
realm_id = "archlinux"
alias = "Registration Form"
parent_flow_alias = keycloak_authentication_flow.arch_registration_flow.alias
provider_id = "form-flow"
authenticator = "registration-page-form"
requirement = "REQUIRED"
}
resource "keycloak_authentication_execution" "registration_user_creation" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
authenticator = "registration-user-creation"
requirement = "REQUIRED"
}
resource "keycloak_authentication_execution" "registration_password_action" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
authenticator = "registration-password-action"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.registration_user_creation]
}
resource "keycloak_authentication_execution" "registration_hcaptcha_action" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.registration_form.alias
authenticator = "registration-hcaptcha-action"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.registration_password_action]
}
resource "keycloak_authentication_execution_config" "registration_hcaptcha_action_config" {
realm_id = "archlinux"
alias = "hCaptcha config"
execution_id = keycloak_authentication_execution.registration_hcaptcha_action.id
config = {
"site.key" = data.external.vault_hcaptcha.result.vault_hcaptcha_accounts_archlinux_org_sitekey
"secret" = data.external.vault_hcaptcha.result.vault_hcaptcha_secret_key
}
}
// Add new custom browser login flow with WebAuthn support and forced OTP.
//
// Try misc/kcadm_wrapper.sh get authentication/flows/{{ your flow alias}}/executions
// to make this a whole lot easier.
// NOTE: We use the `depends_on` calls to properly order the executions and subflows inside the
// flow. This has to be done until https://github.com/mrparkers/terraform-provider-keycloak/issues/296
// is fixed. :(
// We want to end up with something like this:
//
// Arch Browser flow
// |- Cookie (A)
// |- Identity Provider Redirector (A)
// |- Password and 2FA Subflow (A)
// |- Username Password Form (R)
// |- 2FA Subflow (R)
// |- WebAuthn Authenticator (A)
// |- OTP Form (A)
// |- OTP Default Subflow (A)
// |- OTP Form (R)
//
// IMPORTANT NOTE: Sometimes when changing Authentication Flows via Terraform or UI, flows can become orphaned in which
// case they'll hang around the database doing nothing useful and blocking alias names and causing 409 CONFLICTS. If such
// a thing happens, you'll have to get dirty and and manually clean up the authentication_flows and authentication_executions
// tables on the Keycloak Postgres DB! Quality Red Hat software right there.
resource "keycloak_authentication_flow" "arch_browser_flow" {
realm_id = "archlinux"
alias = "Arch Browser"
description = "Customized Browser flow that forces 2FA."
}
resource "keycloak_authentication_execution" "cookie" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
authenticator = "auth-cookie"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_flow.arch_browser_flow]
}
resource "keycloak_authentication_execution" "identity_provider_redirector" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
authenticator = "identity-provider-redirector"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.cookie]
}
resource "keycloak_authentication_subflow" "password_and_2fa" {
realm_id = "archlinux"
alias = "Password and 2FA subflow"
parent_flow_alias = keycloak_authentication_flow.arch_browser_flow.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.identity_provider_redirector]
}
resource "keycloak_authentication_execution" "username_password_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
authenticator = "auth-username-password-form"
requirement = "REQUIRED"
}
resource "keycloak_authentication_subflow" "_2fa" {
realm_id = "archlinux"
alias = "2FA subflow"
parent_flow_alias = keycloak_authentication_subflow.password_and_2fa.alias
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.username_password_form]
}
resource "keycloak_authentication_execution" "webauthn_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
authenticator = "webauthn-authenticator"
requirement = "ALTERNATIVE"
}
resource "keycloak_authentication_execution" "otp_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
authenticator = "auth-otp-form"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.webauthn_form]
}
resource "keycloak_authentication_subflow" "otp_default" {
realm_id = "archlinux"
alias = "OTP Default Subflow"
parent_flow_alias = keycloak_authentication_subflow._2fa.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.otp_form]
}
resource "keycloak_authentication_execution" "otp_default_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.otp_default.alias
authenticator = "auth-otp-form"
requirement = "REQUIRED"
}
// Add new custom post-Identity Provider login flow with forced OTP for some user roles
//
// Arch Post IPR Flow
// |- WebAuthn Form (A)
// |- OTP Form (A)
// |- IPR OTP Default Subflow (A)
// |- OTP Form (R)
resource "keycloak_authentication_flow" "arch_post_ipr_flow" {
realm_id = "archlinux"
alias = "Arch Post IPR Flow"
description = "Post IPR login flow that forces 2FA."
}
resource "keycloak_authentication_execution" "ipr_webauthn_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
authenticator = "webauthn-authenticator"
requirement = "ALTERNATIVE"
}
resource "keycloak_authentication_execution" "ipr_otp_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
authenticator = "auth-otp-form"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.ipr_webauthn_form]
}
resource "keycloak_authentication_subflow" "ipr_otp_default" {
realm_id = "archlinux"
alias = "IPR OTP Default Subflow"
parent_flow_alias = keycloak_authentication_flow.arch_post_ipr_flow.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.ipr_otp_form]
}
resource "keycloak_authentication_execution" "ipr_otp_default_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.ipr_otp_default.alias
authenticator = "auth-otp-form"
requirement = "REQUIRED"
}
// Add new custom Reset Credentials flow that asks users to verify 2FA before resetting their password
//
// Arch Reset Credentials
// |- Choose User (R)
// |- Send Reset Email (R)
// |- Conditional Reset Credentials 2FA Subflow (C)
// |- Condition - User Configured (R)
// |- Reset Credentials 2FA Subflow (R)
// |- WebAuthn Form (A)
// |- OTP Form (A)
// |- Reset Credentials OTP Default Subflow (A)
// |- OTP Form (R)
// |- Reset Password (R)
resource "keycloak_authentication_flow" "arch_reset_credentials_flow" {
realm_id = "archlinux"
alias = "Arch Reset Credentials"
description = "Reset credentials flow that forces 2FA verification before password reset."
}
resource "keycloak_authentication_execution" "rc_choose_user" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
authenticator = "reset-credentials-choose-user"
requirement = "REQUIRED"
}
resource "keycloak_authentication_execution" "rc_reset_email" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
authenticator = "reset-credential-email"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.rc_choose_user]
}
resource "keycloak_authentication_subflow" "rc_conditional_2fa" {
realm_id = "archlinux"
alias = "Conditional Reset Credentials 2FA Subflow"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
requirement = "CONDITIONAL"
depends_on = [keycloak_authentication_execution.rc_choose_user]
}
resource "keycloak_authentication_execution" "rc_2fa_condition" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
authenticator = "conditional-user-configured"
requirement = "REQUIRED"
}
resource "keycloak_authentication_subflow" "rc_2fa" {
realm_id = "archlinux"
alias = "Reset Credentials 2FA Subflow"
parent_flow_alias = keycloak_authentication_subflow.rc_conditional_2fa.alias
requirement = "REQUIRED"
depends_on = [keycloak_authentication_execution.rc_2fa_condition]
}
resource "keycloak_authentication_execution" "rc_webauthn_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
authenticator = "webauthn-authenticator"
requirement = "ALTERNATIVE"
}
resource "keycloak_authentication_execution" "rc_otp_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
authenticator = "auth-otp-form"
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.rc_webauthn_form]
}
resource "keycloak_authentication_subflow" "rc_otp_default" {
realm_id = "archlinux"
alias = "Reset Credentials OTP Default Subflow"
parent_flow_alias = keycloak_authentication_subflow.rc_2fa.alias
requirement = "ALTERNATIVE"
depends_on = [keycloak_authentication_execution.rc_otp_form]
}
resource "keycloak_authentication_execution" "rc_otp_default_form" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_subflow.rc_otp_default.alias
authenticator = "auth-otp-form"
requirement = "REQUIRED"
}
resource "keycloak_authentication_execution" "rc_reset_password" {
realm_id = "archlinux"
parent_flow_alias = keycloak_authentication_flow.arch_reset_credentials_flow.alias
authenticator = "reset-password"
requirement = "REQUIRED"
depends_on = [keycloak_authentication_subflow.rc_conditional_2fa]
}
output "gitlab_saml_configuration" {
value = {
issuer = keycloak_saml_client.saml_gitlab.client_id
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
admin_groups = [keycloak_role.devops.name]
idp_sso_target_url = "https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
}
}
resource "keycloak_openid_client" "grafana_openid_client" {
realm_id = "archlinux"
client_id = "openid_grafana"
client_secret = data.external.vault_monitoring.result.vault_monitoring_grafana_client_secret
name = "Grafana"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
valid_redirect_uris = [
"https://monitoring.archlinux.org",
"https://monitoring.archlinux.org/login/generic_oauth"
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
add_to_access_token = false
}
resource "keycloak_openid_client" "hedgedoc_openid_client" {
realm_id = "archlinux"
client_id = "openid_hedgedoc"
client_secret = data.external.vault_hedgedoc.result.vault_hedgedoc_client_secret
name = "Hedgedoc"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
valid_redirect_uris = [
"https://md.archlinux.org/*",
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "hedgedoc_user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.hedgedoc_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
add_to_access_token = false
}
resource "keycloak_openid_client" "matrix_openid_client" {
realm_id = "archlinux"
client_id = "openid_matrix"
client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret
name = "Matrix"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
valid_redirect_uris = [
"https://matrix.archlinux.org/_synapse/client/oidc/callback"
]
backchannel_logout_url = "https://matrix.archlinux.org/_synapse/client/oidc/backchannel_logout"
backchannel_logout_session_required = true
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "matrix_user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.matrix_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = true
add_to_access_token = false
}
resource "keycloak_openid_client" "gluebuddy_openid_client" {
realm_id = "archlinux"
client_id = "gluebuddy"
client_secret = data.external.vault_keycloak.result.vault_keycloak_gluebuddy_openid_client_secret
web_origins = []
name = "Gluebuddy"
enabled = true
service_accounts_enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
valid_redirect_uris = [
"https://gitlab.archlinux.org/"
]
}
resource "keycloak_openid_client" "security_tracker_openid_client" {
realm_id = "archlinux"
client_id = "openid_security_tracker"
client_secret = data.external.vault_security_tracker.result.vault_security_tracker_openid_client_secret
name = "Security Tracker"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
use_refresh_tokens = false
web_origins = []
valid_redirect_uris = [
"https://security.archlinux.org/*",
]
}
resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.security_tracker_openid_client.id
name = "group-membership-mapper"
claim_name = "groups"
}
resource "keycloak_openid_client" "buildbot_openid_client" {
realm_id = "archlinux"
client_id = "openid_buildbot"
name = "Buildbot"
enabled = true
access_type = "PUBLIC"
standard_flow_enabled = true
valid_redirect_uris = [
"https://buildbot.pkgbuild.com/*",
"http://127.0.0.1:5000/*",
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "buildbot_user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.buildbot_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
add_to_access_token = false
}
View Git Blame Copy Permalink