fix(ops/keycloak): fix assigning grafana_roles

keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was missing. It is configured to make the client roles for this Application (and only those for this application) available in the grafana_roles claim. We can also disable full scope, as we're not interested in other role mappings. The Terraform files are a bit reorganized, everything configuring the Grafana client lives in grafana.tf (and vice-versa for Forgejo, Buildkite and Gerrit). The only thing left in permissions.tf is global groups, their memberships and mappings. Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2 Reviewed-on: https://cl.snix.dev/c/snix/+/30476 Tested-by: besadii Autosubmit: Florian Klink <flokli@flokli.de> Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 00:34:23 +03:00 · 2025-05-05 00:34:23 +03:00 · e20ff4cb60
commit e20ff4cb60
parent 018f3b38a6
7 changed files with 144 additions and 144 deletions
--- a/ops/keycloak/permissions.tf
+++ b/ops/keycloak/permissions.tf
@ -58,38 +58,3 @@ resource "keycloak_group_roles" "trusted_contributors_roles" {
    keycloak_role.grafana_editor.id
  ]
 }
-
-# Application-level roles.
-
-# Grafana
-
-resource "keycloak_role" "grafana_editor" {
-  realm_id    = keycloak_realm.snix.id
-  client_id   = keycloak_openid_client.grafana.id
-  name        = "Editor"
-  description = "Can edit things in Grafana"
-}
-
-resource "keycloak_role" "grafana_admin" {
-  realm_id    = keycloak_realm.snix.id
-  client_id   = keycloak_openid_client.grafana.id
-  name        = "Admin"
-  description = "Can admin things in Grafana"
-}
-
-# TODO:
-# Forgejo
-
-# resource "keycloak_role" "forgejo_admin" {
-# }
-#
-# resource "keycloak_role" "forgejo_trusted_contributor" {
-# }
-#
-# # Gerrit
-#
-# resource "keycloak_role" "gerrit_admin" {
-# }
-#
-# resource "keycloak_role" "gerrit_trusted_contributor" {
-# }