From 6576c2f15fc98f9432b0a0ce6b4f23a8528f30d9 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Tue, 20 Sep 2022 12:19:54 +0300
Subject: [PATCH] feat(ops/keycloak): import github identity provider
 configuration

For some reason Terraform decided that it would otherwise like
to *delete* this configuration, which is undesirable.

Note that there is a "magic" special behaviour when the `alias` and
`provider_id` are set to the name of a built-in supported
provider (github, gitlab etc.), which lets us skip the
authorization_url setup.

Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
---
 ops/keycloak/main.tf         |   2 +-
 ops/keycloak/user_sources.tf |  23 +++++++++++++++++++++++
 ops/secrets/tf-keycloak.age  | Bin 981 -> 1001 bytes
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index a8e2d82a3..c18f4a178 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -1,6 +1,6 @@
 # Configure TVL Keycloak instance.
 #
-# TODO(tazjin): Configure GitHub/GitLab IDP
+# TODO(tazjin): Configure GitLab IDP
 
 terraform {
   required_providers {
diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf
index 3fde6e07c..01307fff8 100644
--- a/ops/keycloak/user_sources.tf
+++ b/ops/keycloak/user_sources.tf
@@ -2,6 +2,10 @@
 # information (either by accessing a system like LDAP or integration
 # through protocols like OIDC).
 
+variable "github_client_secret" {
+  type = string
+}
+
 resource "keycloak_ldap_user_federation" "tvl_ldap" {
   name                    = "tvl-ldap"
   realm_id                = keycloak_realm.tvl.id
@@ -19,3 +23,22 @@ resource "keycloak_ldap_user_federation" "tvl_ldap" {
     "organizationalPerson",
   ]
 }
+
+# keycloak_oidc_identity_provider.github will be destroyed
+# (because keycloak_oidc_identity_provider.github is not in configuration)
+resource "keycloak_oidc_identity_provider" "github" {
+  alias                 = "github"
+  provider_id           = "github"
+  client_id             = "6d7f8bb2e82bb6739556"
+  client_secret         = var.github_client_secret
+  realm                 = keycloak_realm.tvl.id
+  backchannel_supported = false
+  gui_order             = "1"
+  store_token           = false
+  sync_mode             = "IMPORT"
+  trust_email           = true
+
+  # These default to built-in values for the `github` provider_id.
+  authorization_url = ""
+  token_url         = ""
+}
diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age
index b450e84fb069280e24f7adccd8a2cef7bd7b57bb..c916dcd2a3565260556e5bb8e8684ad961af2ec5 100644
GIT binary patch
delta 914
zcmcc0{*rxyPJNM)w@12fet4OCc4CQBU|D5YNLWEheprC3XI_3{N`zxUey(v^sJCBb
zIafrwTVY~$Kx(N+WMHY8cY3*nS7dN`L7KO5nWv+1WLB!Hp>sh_Rd}#|IhU@TLUD11
zZfc5=si~o*LRGSJX@;YMiAlIgq)9-8sb6tMX?T)lshhd8X{t+JR&ZfNYJO$8yG5E&
zURtVqT0x~FS5;bhq@}-8et2+pNOrhaYDAHKYG|r<sIQY(S&FM+VpwWXdbWPLYhZTz
z#E;_PCO+B)!9gZoKIVDJIXRgg;hqtut}f>JX&!}sp{WIyo=JsS#;Jw+AzArcS>{y+
zq1o;(7MUSMRVH4Bp~21-<rdjVCfP=g#T8WsWtrNUKF<2yzEz=<;~B-nQ_Ukhiz*xo
zjLkhNER9O4f<vNwQmcF{b1O?j3(ONO3S1mZbKTPYirp-@G6Ivr@+%@E^u3%M4YdP9
zopXx<94m4Iql$}-!m`awlJl~>@~R?&l3a@?pJf!UPpb4QFfhmsw=k(Had8WXO3n)R
z%qs{pG1gD<FiB5yPb$a`^i4IX49s)o3f0yx3<=ZEGxl`J$?*#*D04S=&n!>M(GT-Y
z&MJ3tF?Dk+N(~N)$}MvQ#ehL*TA`|LdQoa(aVl4qab=}ffk|>!fr&+yOQ>g=tEIVq
zT1dS`ahZRZOQl(sTY0{@yQ6ooML?c+l6FaQhEH~>nSrCRS&6=9u%}}#SFTyOF_*5c
zu0nohYPx$^x>JOAfTd+haH)TaVOXY#sh4+Bs*z!lubXLMPH9j?aj1D<GMD{}9p|MV
zY9yBy&Us!^%yDGLv6i2Pr4}A33pxFtmjr~@XEN-S|L~>MdHT2i=Re-tmHx1Iqs9)I
z<}*4wU!2O5S@|}Vb(g|)#mGC`=bUGC4(~fUb^QvKZ<o%!P>=n){Jvb`o#|5RukF^}
zv-{Y$dub=4mR}YY-}Tj))#88jL7DH@1m`+xw##Z7?)><~_5F7BOFjHy98X(WKSz6i
z%+=7{uYd4<y+YYxzAu)ml|*OSFM7K6s=E4?`QFh%Qn%jq$I6Rs{GL;H)No1W{eL^_
z>}UR*s=NGtX4lqyrz1(rmwa`To~|gDA;KXq+x6OHrv|TU<LTqF>3q4JpMDql7~b?=
zc1Z4)d|q7h9hsxAT-fi1gvV-G7p$}X&n=p}uhivQ&H66G9|oLjRyLj#*I2OeH2~y$
BV$J{n

delta 893
zcmaFKewBTKPJL35TWNv2x1qLwg>g`BSdfW<Nmi&uVMw5hky}xiVQ6A%mPeMeL1mh;
zE0=j<NR&}(ph;>{sdqqzOOQpbe?@qdi&<V^P)Jgxg?VI%lc%?TT56J4GMBEMLUD11
zZfc5=si~o*LRGSJX@;YMzL9TgMp1-WqJ@E1gh!f-v71Fep=WSaQlfT%ldoBBu~ATH
zKvhnuV@5_fm$tW0ijPNdrE^|cwu@&;g=LbZwx>^MrGcBDOGR#wc}8(ru|>L9pleX}
z#E;_P*_p}tMusVVenkb2p#iB$z9r87m08-U=4SbcMmZ^^J~{fXWmzuz`XRnt<)-eb
z?m>lB5fSN@X+~vL#RVZzCZS#dj#Z(#fl*H0PFdceCBA0arokqY;~B-n(~?r1bNwAl
z3M-S#a!pOl+zLGlEWJ(g@&i0AgWL+tN`t)0y(~O~!yH|?ay-2=!psV@N)rvz(+tzn
zqKZ<IBP){9j2*RIiwm4WGqX~P3RB7qB2pYDpJf!UcQvyp_V6v#Hg-x)HTACYPAo~z
z^)oY!sIai`4vZ>s^6}QscPjQS@p3ZZa?VW;Pj)u7G>y~`%L+*~FYvF-FEldC)Aq=6
zkMOaybgIlY45;umDsV3c#Xy{;ZhBE_VsWa1zLG({z7kh>cwSaiXmF5!vU@;Md5Dvr
zcS?P*Ws-ZLWn`X<et~I{yGfaMrjK{7tD{?yk+Gw8U`1wraB6|Cud6|1O1P0fmqB_;
zL0)=tX1HNis-aInM4m^Ec}1>izENI?t5IocNVa!YvcE@OSel`JYM7sEm07ZPS-E>r
zRa!ZhuCA^^go&SJR=9V%k9oe4VTgsNS$KU&y0=l7i++G(Mwx%HL0P(aK}3{AV3oEB
z7jOEW%G=UE_I%5K@b>n{mq$uo?9qvN&Ax&|s*^M2wEdjeGlx&#QBj&N(EG9ca`L*Z
zNe5f<ZnSTn>G=2Z%^&r~r^6ZaE5H0^$v$#BdB+#yWlZ|b36`mCNkP2qUPmhWGWz&S
zUoY1zDGHQ0KmWmBJ{G1NnM0A`3@N9~9xBZV{lD61#n;1qb#ZrEO<1?(y$%+!@z>&8
zo0mT~&iHiJwD{0(d;IR}s5r}{?zA~q_<Za0b(RJzI4!v@tX6x$@;qH`y^D%fao2J+
a>&eS2qjy(Mnc}s+%%pTK-(RU2)o}pk07ZBJ