feat(ops/keycloak): configure Buildkite SAML

This enables logging in to Buildkite with SAML.

Fixes #95.

Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>

ops/keycloak/buildkite.tf

@@ -1,31 +1,35 @@
-# resource "keycloak_saml_client" "buildkite" {
+# On the Buildkite site, first create manually, then use
-#   realm_id  = keycloak_realm.snix.id
+# $BUILDKITE_URL/realms/$realm/protocol/saml/descriptor as Meta Data URL
-#   client_id = "https://buildkite.com"
+resource "keycloak_saml_client" "buildkite" {
-#   name      = "Buildkite"
+  realm_id  = keycloak_realm.snix.id
-#   base_url  = "https://buildkite.com/sso/snix"
+  client_id = "https://buildkite.com"
+  name      = "Buildkite"
+  base_url  = "https://buildkite.com/sso/snix"
 
-#   client_signature_required   = false
+  client_signature_required   = false
-#   assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
+  assertion_consumer_post_url = "https://buildkite.com/sso/~/01969dae-b653-4e3e-8056-eff685823c6f/saml/consume"
 
-#   valid_redirect_uris = [
+  valid_redirect_uris = [
-#     "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
+    "https://buildkite.com/sso/~/01969dae-b653-4e3e-8056-eff685823c6f/saml/consume"
-#   ]
+  ]
-# }
 
-# resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
+  full_scope_allowed = false
-#   realm_id                   = keycloak_realm.snix.id
+}
-#   client_id                  = keycloak_saml_client.buildkite.id
-#   name                       = "buildkite-email-mapper"
-#   user_attribute             = "email"
-#   saml_attribute_name        = "email"
-#   saml_attribute_name_format = "Unspecified"
-# }
 
-# resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
-#   realm_id                   = keycloak_realm.snix.id
+  realm_id                   = keycloak_realm.snix.id
-#   client_id                  = keycloak_saml_client.buildkite.id
+  client_id                  = keycloak_saml_client.buildkite.id
-#   name                       = "buildkite-name-mapper"
+  name                       = "buildkite-email-mapper"
-#   user_attribute             = "displayName"
+  user_attribute             = "email"
-#   saml_attribute_name        = "name"
+  saml_attribute_name        = "email"
-#   saml_attribute_name_format = "Unspecified"
+  saml_attribute_name_format = "Unspecified"
-# }
+}
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
+  realm_id                   = keycloak_realm.snix.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-name-mapper"
+  user_attribute             = "displayName"
+  saml_attribute_name        = "name"
+  saml_attribute_name_format = "Unspecified"
+}