ondrejsika · June 2, 2023 13:09 · Jun 2, 2023
diff --git a/keycloak.tf b/keycloak.tf
@@ -0,0 +1,151 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source = "mrparkers/keycloak"
+    }
+  }
+}
+
+provider "keycloak" {
+  client_id                = "admin-cli"
+  url                      = "http://keycloak.keycloak"
+  username                 = "admin"
+  password                 = "admin"
+  tls_insecure_skip_verify = true
+}
+
+resource "keycloak_realm" "kpi" {
+  realm                    = "kpi"
+  enabled                  = true
+  display_name_html        = "<h1>KPI SSO</h1>"
+  login_with_email_allowed = true
+  reset_password_allowed   = true
+  remember_me              = true
+}
+
+resource "keycloak_realm_events" "kpi" {
+  realm_id = keycloak_realm.kpi.id
+
+  events_enabled    = true
+  events_expiration = 3600
+
+  admin_events_enabled         = true
+  admin_events_details_enabled = true
+}
+
+resource "keycloak_openid_client_scope" "kpi_groups" {
+  realm_id               = keycloak_realm.kpi.id
+  name                   = "groups"
+  include_in_token_scope = true
+  gui_order              = 1
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "kpi_groups" {
+  realm_id        = keycloak_realm.kpi.id
+  client_scope_id = keycloak_openid_client_scope.kpi_groups.id
+  name            = "groups"
+  claim_name      = "groups"
+  full_path       = false
+}
+
+resource "keycloak_openid_client" "grafana" {
+  realm_id              = keycloak_realm.kpi.id
+  client_id             = "grafana"
+  name                  = "grafana"
+  enabled               = true
+  access_type           = "PUBLIC"
+  client_secret         = "grafana"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+  "*",
+  ]
+}
+
+resource "keycloak_openid_client_default_scopes" "grafana" {
+  realm_id  = keycloak_realm.kpi.id
+  client_id = keycloak_openid_client.grafana.id
+  default_scopes = [
+    "profile",
+    "email",
+    keycloak_openid_client_scope.kpi_groups.name,
+  ]
+}
+
+resource "keycloak_openid_client" "kubernetes" {
+  realm_id              = keycloak_realm.kpi.id
+  client_id             = "kubernetes"
+  name                  = "kubernetes"
+  enabled               = true
+  access_type           = "PUBLIC"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+    "*",
+  ]
+}
+
+resource "keycloak_openid_audience_protocol_mapper" "kubernetes" {
+  realm_id  = keycloak_realm.kpi.id
+  client_id = keycloak_openid_client.kubernetes.id
+  name      = "audience-mapper"
+  included_client_audience = keycloak_openid_client.kubernetes.client_id
+}
+
+resource "keycloak_openid_client_default_scopes" "kubernetes" {
+  realm_id  = keycloak_realm.kpi.id
+  client_id = keycloak_openid_client.kubernetes.id
+  default_scopes = [
+    "profile",
+    "email",
+    "groups",
+  ]
+}
+
+resource "keycloak_group" "grafana-admin" {
+  realm_id = keycloak_realm.kpi.id
+  name     = "grafana-admin"
+}
+
+resource "keycloak_group" "kubernetes-admin" {
+  realm_id = keycloak_realm.kpi.id
+  name     = "kubernetes-admin"
+}
+
+resource "keycloak_user" "admin" {
+  realm_id       = keycloak_realm.kpi.id
+  username       = "admin"
+  enabled        = true
+  email          = "admin@kpi.com"
+  email_verified = true
+  initial_password {
+    value     = "a"
+    temporary = true
+  }
+}
+
+resource "keycloak_user_groups" "admin" {
+  realm_id = keycloak_realm.kpi.id
+  user_id  = keycloak_user.admin.id
+  group_ids = [
+    keycloak_group.kubernetes-admin.id,
+  ]
+}
+
+resource "keycloak_user" "grafana-admin" {
+  realm_id       = keycloak_realm.kpi.id
+  username       = "grafana-admin"
+  enabled        = true
+  email          = "grafana-admin@kpi.com"
+  email_verified = true
+  initial_password {
+    value     = "a"
+    temporary = true
+  }
+}
+
+resource "keycloak_user_groups" "grafana-admin" {
+  realm_id = keycloak_realm.kpi.id
+  user_id  = keycloak_user.grafana-admin.id
+  group_ids = [
+    keycloak_group.grafana-admin.id,
+  ]
+}
No results found