fix(ops/keycloak): fix assigning grafana_roles

keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was missing. It is configured to make the client roles for this Application (and only those for this application) available in the grafana_roles claim. We can also disable full scope, as we're not interested in other role mappings. The Terraform files are a bit reorganized, everything configuring the Grafana client lives in grafana.tf (and vice-versa for Forgejo, Buildkite and Gerrit). The only thing left in permissions.tf is global groups, their memberships and mappings. Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2 Reviewed-on: https://cl.snix.dev/c/snix/+/30476 Tested-by: besadii Autosubmit: Florian Klink <flokli@flokli.de> Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 00:34:23 +03:00 · 2025-05-05 00:34:23 +03:00 · e20ff4cb60
commit e20ff4cb60
parent 018f3b38a6
7 changed files with 144 additions and 144 deletions
--- a/ops/keycloak/grafana.tf
+++ b/ops/keycloak/grafana.tf
@ -0,0 +1,58 @@
+resource "keycloak_openid_client" "grafana" {
+  realm_id              = keycloak_realm.snix.id
+  client_id             = "grafana"
+  name                  = "Grafana"
+  enabled               = true
+  access_type           = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  base_url              = "https://status.snix.dev"
+
+  // disable full scope, roles are assigned via keycloak_openid_user_client_role_protocol_mapper
+  full_scope_allowed    = false
+
+  valid_redirect_uris = [
+    "https://status.snix.dev/*",
+  ]
+}
+
+resource "keycloak_role" "grafana_editor" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.grafana.id
+  name        = "Editor"
+  description = "Can edit things in Grafana"
+}
+
+resource "keycloak_role" "grafana_admin" {
+  realm_id    = keycloak_realm.snix.id
+  client_id   = keycloak_openid_client.grafana.id
+  name        = "Admin"
+  description = "Can admin things in Grafana"
+}
+
+# Expose the above two roles at `grafana_roles`
+resource "keycloak_openid_user_client_role_protocol_mapper" "grafana_role_mapper" {
+  realm_id = keycloak_realm.snix.id
+  client_id = keycloak_openid_client.grafana.id
+  name = "grafana_roles mapper"
+
+  claim_name = "grafana_roles"
+  claim_value_type = "String"
+  add_to_id_token = true
+  add_to_access_token = true
+  multivalued = true
+
+  # https://github.com/keycloak/terraform-provider-keycloak/issues/1016
+  client_id_for_role_mappings = keycloak_openid_client.grafana.client_id
+}
+
+# It seems this is necessary
+resource "keycloak_openid_client_default_scopes" "grafana_default_scopes" {
+  realm_id  = keycloak_realm.snix.id
+  client_id = keycloak_openid_client.grafana.id
+
+  default_scopes = [
+    "profile",
+    "email",
+    "roles",
+  ]
+}