Change-Id: Idb4352e3bbf412df5569aa988a78c6438063f93a Reviewed-on: https://cl.tvl.fyi/c/depot/+/5769 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
		
			
				
	
	
		
			106 lines
		
	
	
	
		
			3.5 KiB
		
	
	
	
		
			HCL
		
	
	
	
	
	
			
		
		
	
	
			106 lines
		
	
	
	
		
			3.5 KiB
		
	
	
	
		
			HCL
		
	
	
	
	
	
| # All Keycloak clients, that is applications which authenticate
 | |
| # through Keycloak.
 | |
| #
 | |
| # Includes first-party (i.e. TVL-hosted) and third-party clients.
 | |
| 
 | |
| resource "keycloak_openid_client" "grafana" {
 | |
|   realm_id              = keycloak_realm.tvl.id
 | |
|   client_id             = "grafana"
 | |
|   name                  = "Grafana"
 | |
|   enabled               = true
 | |
|   access_type           = "CONFIDENTIAL"
 | |
|   standard_flow_enabled = true
 | |
|   base_url              = "https://status.tvl.su"
 | |
| 
 | |
|   valid_redirect_uris = [
 | |
|     "https://status.tvl.su/*",
 | |
|   ]
 | |
| }
 | |
| 
 | |
| resource "keycloak_openid_client" "gerrit" {
 | |
|   realm_id                                 = keycloak_realm.tvl.id
 | |
|   client_id                                = "gerrit"
 | |
|   name                                     = "TVL Gerrit"
 | |
|   enabled                                  = true
 | |
|   access_type                              = "CONFIDENTIAL"
 | |
|   standard_flow_enabled                    = true
 | |
|   base_url                                 = "https://cl.tvl.fyi"
 | |
|   description                              = "TVL's code review tool"
 | |
|   direct_access_grants_enabled             = true
 | |
|   exclude_session_state_from_auth_response = false
 | |
| 
 | |
|   valid_redirect_uris = [
 | |
|     "https://cl.tvl.fyi/*",
 | |
|   ]
 | |
| 
 | |
|   web_origins = [
 | |
|     "https://cl.tvl.fyi",
 | |
|   ]
 | |
| }
 | |
| 
 | |
| resource "keycloak_saml_client" "buildkite" {
 | |
|   realm_id  = keycloak_realm.tvl.id
 | |
|   client_id = "https://buildkite.com"
 | |
|   name      = "Buildkite"
 | |
|   base_url  = "https://buildkite.com/sso/tvl"
 | |
| 
 | |
|   client_signature_required   = false
 | |
|   assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
 | |
| 
 | |
|   valid_redirect_uris = [
 | |
|     "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
 | |
|   ]
 | |
| }
 | |
| 
 | |
| resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
 | |
|   realm_id                   = keycloak_realm.tvl.id
 | |
|   client_id                  = keycloak_saml_client.buildkite.id
 | |
|   name                       = "buildkite-email-mapper"
 | |
|   user_attribute             = "email"
 | |
|   saml_attribute_name        = "email"
 | |
|   saml_attribute_name_format = "Unspecified"
 | |
| }
 | |
| 
 | |
| resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
 | |
|   realm_id                   = keycloak_realm.tvl.id
 | |
|   client_id                  = keycloak_saml_client.buildkite.id
 | |
|   name                       = "buildkite-name-mapper"
 | |
|   user_attribute             = "displayName"
 | |
|   saml_attribute_name        = "name"
 | |
|   saml_attribute_name_format = "Unspecified"
 | |
| }
 | |
| 
 | |
| resource "keycloak_openid_client" "oauth2_proxy" {
 | |
|   realm_id              = keycloak_realm.tvl.id
 | |
|   client_id             = "oauth2-proxy"
 | |
|   name                  = "TVL OAuth2 Proxy"
 | |
|   enabled               = true
 | |
|   access_type           = "CONFIDENTIAL"
 | |
|   standard_flow_enabled = true
 | |
| 
 | |
|   valid_redirect_uris = [
 | |
|     "https://login.tvl.fyi/oauth2/callback",
 | |
|     "http://localhost:4774/oauth2/callback",
 | |
|   ]
 | |
| }
 | |
| 
 | |
| resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
 | |
|   realm_id                 = keycloak_realm.tvl.id
 | |
|   client_id                = keycloak_openid_client.oauth2_proxy.id
 | |
|   name                     = "oauth2-proxy-audience"
 | |
|   included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
 | |
| }
 | |
| 
 | |
| resource "keycloak_openid_client" "panettone" {
 | |
|   realm_id              = keycloak_realm.tvl.id
 | |
|   client_id             = "panettone"
 | |
|   name                  = "Panettone"
 | |
|   enabled               = true
 | |
|   access_type           = "CONFIDENTIAL"
 | |
|   standard_flow_enabled = true
 | |
| 
 | |
|   valid_redirect_uris = [
 | |
|     "https://b.tvl.fyi/auth",
 | |
|     "http://localhost:6161/auth",
 | |
|   ]
 | |
| }
 |