From d814c7afa84c49d62d98b84ff4277f1dc39688e1 Mon Sep 17 00:00:00 2001
From: edef <edef@edef.eu>
Date: Tue, 1 Apr 2025 18:50:56 +0000
Subject: [PATCH] feat(ops/keycloak): configure user profile declaratively

This mostly matches the default configuration, but notably does not
make the lastName field mandatory, in order to accommodate mononymy.

Change-Id: I47ca86a179eb9b7dcf5f3e761681c78e22f5265c
Fixes: https://git.snix.dev/snix/snix/issues/104
Reviewed-on: https://cl.snix.dev/c/snix/+/30289
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
---
 ops/keycloak/attributes.tf | 94 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100644 ops/keycloak/attributes.tf

diff --git a/ops/keycloak/attributes.tf b/ops/keycloak/attributes.tf
new file mode 100644
index 000000000..8632256e3
--- /dev/null
+++ b/ops/keycloak/attributes.tf
@@ -0,0 +1,94 @@
+resource "keycloak_realm_user_profile" "user_profile" {
+  realm_id = keycloak_realm.snix.id
+
+  # Username attribute
+  attribute {
+    name         = "username"
+    display_name = "$${username}"
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "length"
+      config = {
+        min = "3"
+        max = "255"
+      }
+    }
+    validator {
+      name = "username-prohibited-characters"
+    }
+    validator {
+      name = "up-username-not-idn-homograph"
+    }
+  }
+
+  # Email attribute
+  attribute {
+    name         = "email"
+    display_name = "$${email}"
+    required_for_roles = ["user"]
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "email"
+    }
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+  }
+
+  # First Name attribute
+  attribute {
+    name         = "firstName"
+    display_name = "$${firstName}"
+    required_for_roles = ["user"]
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+    validator {
+      name = "person-name-prohibited-characters"
+    }
+  }
+
+  # Last Name attribute
+  attribute {
+    name         = "lastName"
+    display_name = "$${lastName}"
+    # NOTE(edef): explicitly not required, to accommodate mononymy
+    # required_for_roles = ["user"]
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+    validator {
+      name = "person-name-prohibited-characters"
+    }
+  }
+
+  # User metadata group
+  group {
+    name                = "user-metadata"
+    display_header      = "User metadata"
+    display_description = "Attributes, which refer to user metadata"
+  }
+}