feat(ops/keycloak): configure user profile declaratively

This mostly matches the default configuration, but notably does not make the lastName field mandatory, in order to accommodate mononymy. Change-Id: I47ca86a179eb9b7dcf5f3e761681c78e22f5265c Fixes: https://git.snix.dev/snix/snix/issues/104 Reviewed-on: https://cl.snix.dev/c/snix/+/30289 Reviewed-by: Florian Klink <flokli@flokli.de> Tested-by: besadii
2025-04-01 18:50:56 +00:00 · 2025-04-01 18:50:56 +00:00 · d814c7afa8
commit d814c7afa8
parent 11aa4182b6
1 changed files with 94 additions and 0 deletions
--- a/ops/keycloak/attributes.tf
+++ b/ops/keycloak/attributes.tf
@ -0,0 +1,94 @@
+resource "keycloak_realm_user_profile" "user_profile" {
+  realm_id = keycloak_realm.snix.id
+
+  # Username attribute
+  attribute {
+    name         = "username"
+    display_name = "$${username}"
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "length"
+      config = {
+        min = "3"
+        max = "255"
+      }
+    }
+    validator {
+      name = "username-prohibited-characters"
+    }
+    validator {
+      name = "up-username-not-idn-homograph"
+    }
+  }
+
+  # Email attribute
+  attribute {
+    name         = "email"
+    display_name = "$${email}"
+    required_for_roles = ["user"]
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "email"
+    }
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+  }
+
+  # First Name attribute
+  attribute {
+    name         = "firstName"
+    display_name = "$${firstName}"
+    required_for_roles = ["user"]
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+    validator {
+      name = "person-name-prohibited-characters"
+    }
+  }
+
+  # Last Name attribute
+  attribute {
+    name         = "lastName"
+    display_name = "$${lastName}"
+    # NOTE(edef): explicitly not required, to accommodate mononymy
+    # required_for_roles = ["user"]
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+    validator {
+      name = "person-name-prohibited-characters"
+    }
+  }
+
+  # User metadata group
+  group {
+    name                = "user-metadata"
+    display_header      = "User metadata"
+    display_description = "Attributes, which refer to user metadata"
+  }
+}