From c706826aa9f35f41385c43046f8277f9daf86f67 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Mon, 5 May 2025 02:59:36 +0300
Subject: [PATCH] feat(ops/keycloak): configure Buildkite SAML

This enables logging in to Buildkite with SAML.

Fixes #95.

Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
---
 ops/keycloak/buildkite.tf | 58 +++++++++++++++++++++------------------
 1 file changed, 31 insertions(+), 27 deletions(-)

diff --git a/ops/keycloak/buildkite.tf b/ops/keycloak/buildkite.tf
index e68330406..58f5bc341 100644
--- a/ops/keycloak/buildkite.tf
+++ b/ops/keycloak/buildkite.tf
@@ -1,31 +1,35 @@
-# resource "keycloak_saml_client" "buildkite" {
-#   realm_id  = keycloak_realm.snix.id
-#   client_id = "https://buildkite.com"
-#   name      = "Buildkite"
-#   base_url  = "https://buildkite.com/sso/snix"
+# On the Buildkite site, first create manually, then use
+# $BUILDKITE_URL/realms/$realm/protocol/saml/descriptor as Meta Data URL
+resource "keycloak_saml_client" "buildkite" {
+  realm_id  = keycloak_realm.snix.id
+  client_id = "https://buildkite.com"
+  name      = "Buildkite"
+  base_url  = "https://buildkite.com/sso/snix"
 
-#   client_signature_required   = false
-#   assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
+  client_signature_required   = false
+  assertion_consumer_post_url = "https://buildkite.com/sso/~/01969dae-b653-4e3e-8056-eff685823c6f/saml/consume"
 
-#   valid_redirect_uris = [
-#     "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
-#   ]
-# }
+  valid_redirect_uris = [
+    "https://buildkite.com/sso/~/01969dae-b653-4e3e-8056-eff685823c6f/saml/consume"
+  ]
 
-# resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
-#   realm_id                   = keycloak_realm.snix.id
-#   client_id                  = keycloak_saml_client.buildkite.id
-#   name                       = "buildkite-email-mapper"
-#   user_attribute             = "email"
-#   saml_attribute_name        = "email"
-#   saml_attribute_name_format = "Unspecified"
-# }
+  full_scope_allowed = false
+}
 
-# resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
-#   realm_id                   = keycloak_realm.snix.id
-#   client_id                  = keycloak_saml_client.buildkite.id
-#   name                       = "buildkite-name-mapper"
-#   user_attribute             = "displayName"
-#   saml_attribute_name        = "name"
-#   saml_attribute_name_format = "Unspecified"
-# }
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
+  realm_id                   = keycloak_realm.snix.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-email-mapper"
+  user_attribute             = "email"
+  saml_attribute_name        = "email"
+  saml_attribute_name_format = "Unspecified"
+}
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
+  realm_id                   = keycloak_realm.snix.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-name-mapper"
+  user_attribute             = "displayName"
+  saml_attribute_name        = "name"
+  saml_attribute_name_format = "Unspecified"
+}