Skip to content

Instantly share code, notes, and snippets.

@ondrejsika

ondrejsika/keycloak.tf

Created June 2, 2023 13:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ondrejsika/fd376e5559673486390054e7156ebb6f to your computer and use it in GitHub Desktop.
Save ondrejsika/fd376e5559673486390054e7156ebb6f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
keycloak.tf
terraform {
required_providers {
keycloak = {
source = "mrparkers/keycloak"
}
}
}
provider "keycloak" {
client_id = "admin-cli"
url = "http://keycloak.keycloak"
username = "admin"
password = "admin"
tls_insecure_skip_verify = true
}
resource "keycloak_realm" "kpi" {
realm = "kpi"
enabled = true
display_name_html = "<h1>KPI SSO</h1>"
login_with_email_allowed = true
reset_password_allowed = true
remember_me = true
}
resource "keycloak_realm_events" "kpi" {
realm_id = keycloak_realm.kpi.id
events_enabled = true
events_expiration = 3600
admin_events_enabled = true
admin_events_details_enabled = true
}
resource "keycloak_openid_client_scope" "kpi_groups" {
realm_id = keycloak_realm.kpi.id
name = "groups"
include_in_token_scope = true
gui_order = 1
}
resource "keycloak_openid_group_membership_protocol_mapper" "kpi_groups" {
realm_id = keycloak_realm.kpi.id
client_scope_id = keycloak_openid_client_scope.kpi_groups.id
name = "groups"
claim_name = "groups"
full_path = false
}
resource "keycloak_openid_client" "grafana" {
realm_id = keycloak_realm.kpi.id
client_id = "grafana"
name = "grafana"
enabled = true
access_type = "PUBLIC"
client_secret = "grafana"
standard_flow_enabled = true
valid_redirect_uris = [
"*",
]
}
resource "keycloak_openid_client_default_scopes" "grafana" {
realm_id = keycloak_realm.kpi.id
client_id = keycloak_openid_client.grafana.id
default_scopes = [
"profile",
"email",
keycloak_openid_client_scope.kpi_groups.name,
]
}
resource "keycloak_openid_client" "kubernetes" {
realm_id = keycloak_realm.kpi.id
client_id = "kubernetes"
name = "kubernetes"
enabled = true
access_type = "PUBLIC"
standard_flow_enabled = true
valid_redirect_uris = [
"*",
]
}
resource "keycloak_openid_audience_protocol_mapper" "kubernetes" {
realm_id = keycloak_realm.kpi.id
client_id = keycloak_openid_client.kubernetes.id
name = "audience-mapper"
included_client_audience = keycloak_openid_client.kubernetes.client_id
}
resource "keycloak_openid_client_default_scopes" "kubernetes" {
realm_id = keycloak_realm.kpi.id
client_id = keycloak_openid_client.kubernetes.id
default_scopes = [
"profile",
"email",
"groups",
]
}
resource "keycloak_group" "grafana-admin" {
realm_id = keycloak_realm.kpi.id
name = "grafana-admin"
}
resource "keycloak_group" "kubernetes-admin" {
realm_id = keycloak_realm.kpi.id
name = "kubernetes-admin"
}
resource "keycloak_user" "admin" {
realm_id = keycloak_realm.kpi.id
username = "admin"
enabled = true
email = "admin@kpi.com"
email_verified = true
initial_password {
value = "a"
temporary = true
}
}
resource "keycloak_user_groups" "admin" {
realm_id = keycloak_realm.kpi.id
user_id = keycloak_user.admin.id
group_ids = [
keycloak_group.kubernetes-admin.id,
]
}
resource "keycloak_user" "grafana-admin" {
realm_id = keycloak_realm.kpi.id
username = "grafana-admin"
enabled = true
email = "grafana-admin@kpi.com"
email_verified = true
initial_password {
value = "a"
temporary = true
}
}
resource "keycloak_user_groups" "grafana-admin" {
realm_id = keycloak_realm.kpi.id
user_id = keycloak_user.grafana-admin.id
group_ids = [
keycloak_group.grafana-admin.id,
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment