fix(ops/keycloak): fix assigning grafana_roles

keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was missing. It is configured to make the client roles for this Application (and only those for this application) available in the grafana_roles claim. We can also disable full scope, as we're not interested in other role mappings. The Terraform files are a bit reorganized, everything configuring the Grafana client lives in grafana.tf (and vice-versa for Forgejo, Buildkite and Gerrit). The only thing left in permissions.tf is global groups, their memberships and mappings. Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2 Reviewed-on: https://cl.snix.dev/c/snix/+/30476 Tested-by: besadii Autosubmit: Florian Klink <flokli@flokli.de> Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 00:34:23 +03:00 · 2025-05-05 00:34:23 +03:00 · e20ff4cb60
commit e20ff4cb60
parent 018f3b38a6
7 changed files with 144 additions and 144 deletions
--- a/ops/keycloak/gerrit.tf
+++ b/ops/keycloak/gerrit.tf
@ -0,0 +1,26 @@
+resource "keycloak_openid_client" "gerrit" {
+  realm_id                                 = keycloak_realm.snix.id
+  client_id                                = "gerrit"
+  name                                     = "snix Gerrit"
+  enabled                                  = true
+  access_type                              = "CONFIDENTIAL"
+  standard_flow_enabled                    = true
+  base_url                                 = "https://cl.snix.dev"
+  description                              = "snix project's code review tool"
+  direct_access_grants_enabled             = true
+  exclude_session_state_from_auth_response = false
+
+  valid_redirect_uris = [
+    "https://cl.snix.dev/*",
+  ]
+
+  web_origins = [
+    "https://cl.snix.dev",
+  ]
+}
+
+# resource "keycloak_role" "gerrit_admin" {
+# }
+#
+# resource "keycloak_role" "gerrit_trusted_contributor" {
+# }