maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snix/ops/keycloak/permissions.tf
Florian Klink d9ca20a5cc feat(ops/keycloak): configure Forgejo Roles 
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).

Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.

Fixes #73.

Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 12:36:30 +00:00

60 lines
1.4 KiB
HCL
Raw Blame History

# This sets the permissions for various groups and users.
# TODO: Realm-level composite roles
# resource "keycloak_role" "is_local_admin" {
# composite_roles = [
# keycloak_role.blablabla.id
# ]
# }
#
# resource "keycloak_role" "can_manage_trusted_contributors" {
# }
#
# # WARNING: This give PII access to the user.
# resource "keycloak_role" "can_manage_snix" {
# }
# Realm-level groups to bestow to users.
resource "keycloak_group" "snix_core_team" {
realm_id = keycloak_realm.snix.id
name = "snix core team"
}
resource "keycloak_group_roles" "snix_core_team_roles" {
realm_id = keycloak_realm.snix.id
group_id = keycloak_group.snix_core_team.id
role_ids = [
# keycloak_role.is_local_admin,
# keycloak_role.can_manage_snix,
keycloak_role.grafana_admin.id,
keycloak_role.forgejo_admin.id,
# keycloak_role.gerrit_admin.id
]
}
resource "keycloak_group_memberships" "snix_core_team_members" {
realm_id = keycloak_realm.snix.id
group_id = keycloak_group.snix_core_team.id
members = [
"edef",
"flokli",
"raitobezarius"
]
}
resource "keycloak_group" "trusted_contributors" {
name = "trusted contributors"
realm_id = keycloak_realm.snix.id
}
resource "keycloak_group_roles" "trusted_contributors_roles" {
realm_id = keycloak_realm.snix.id
group_id = keycloak_group.trusted_contributors.id
role_ids = [
keycloak_role.grafana_editor.id
]
}
Reference in a new issue View git blame Copy permalink