Domů Procházet Nápověda
Přihlásit se
bat9go
/
Ycsecurity
zrcadlo https://github.com/yandex-cloud/yc-solution-library-for-security
Sledovat 1
Oblíbit 0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Větev: fix-typos
Větve Značky
Ycsecurity
/
network-sec
/
remote-access-vpn
/
keycloak-config
/
keycloak-config.tf

keycloak-config.tf 2.1 KB
Trvalý odkaz Historie Surový

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. # ================================
    2. 

  2. # Keycloak configuration resources 
    3. 

  3. # ================================
    4. 

  4. 

  5. # https://github.com/mrparkers/terraform-provider-keycloak/tree/master
    6. 

  6. 

  7. provider "keycloak" {
    8. 

  8.   client_id = "admin-cli"
    9. 

  9.   username = module.settings.keycloak.admin_user
    10. 

  10.   password = var.kc_admin_password
    11. 

  11.   url = "https://${module.settings.keycloak.subdomain}.${module.settings.domain}:${module.settings.keycloak.port}"
    12. 

  12. }
    13. 

  13. 

  14. resource "random_string" "kc_test_user_password" {
    15. 

  15.   length  = 12
    16. 

  16.   upper   = true
    17. 

  17.   lower   = true
    18. 

  18.   numeric  = true
    19. 

  19.   special = true
    20. 

  20.   override_special = "!@%&*()-_=+[]{}<>:?"
    21. 

  21. }
    22. 

  22. 

  23. resource "keycloak_realm" "realm" {
    24. 

  24.   realm = "firezone"
    25. 

  25.   enabled = true
    26. 

  26.   display_name = "Firezone"
    27. 

  27.   display_name_html = "<b>Firezone</b>"
    28. 

  28.   ssl_required = "external"
    29. 

  29.   registration_allowed = false
    30. 

  30.   registration_email_as_username = false
    31. 

  31.   remember_me = false
    32. 

  32.   verify_email = false
    33. 

  33.   reset_password_allowed = false
    34. 

  34.   login_with_email_allowed = false
    35. 

  35. 

  36.   internationalization {
    37. 

  37.     supported_locales = [ "en" ]
    38. 

  38.     default_locale = "en"
    39. 

  39.   }
    40. 

  40. }
    41. 

  41. 

  42. # Keycloak OpenID Connect client
    43. 

  43. resource "keycloak_openid_client" "firezone" {
    44. 

  44.   realm_id            = keycloak_realm.realm.id
    45. 

  45.   client_id           = "firezone"
    46. 

  46.   name                = "Keycloak for Firezone"
    47. 

  47.   enabled             = true
    48. 

  48.   access_type         = "CONFIDENTIAL"
    49. 

  49.   standard_flow_enabled = true
    50. 

  50.   direct_access_grants_enabled = true
    51. 

  51.   use_refresh_tokens  = true
    52. 

  52.   pkce_code_challenge_method = "S256"
    53. 

  53.   valid_redirect_uris = [
    54. 

  54.     "https://${module.settings.firezone.subdomain}.${module.settings.domain}/auth/oidc/keycloak/callback/"
    55. 

  55.   ]
    56. 

  56.   valid_post_logout_redirect_uris = [
    57. 

  57.     "https://${module.settings.firezone.subdomain}.${module.settings.domain}/"
    58. 

  58.   ]
    59. 

  59. }
    60. 

  60. 

  61. # Keycloak test user account
    62. 

  62. resource "keycloak_user" "test_user" {
    63. 

  63.   realm_id = keycloak_realm.realm.id
    64. 

  64.   username = module.settings.keycloak.test_user.name
    65. 

  65.   enabled = true
    66. 

  66.   email = module.settings.keycloak.test_user.email
    67. 

  67.   email_verified = true
    68. 

  68.   attributes = {}
    69. 

  69.   initial_password {
    70. 

  70.     value = "${random_string.kc_test_user_password.result}"
    71. 

  71.     temporary = false
    72. 

  72.   }
    73. 

  73. }
    74.