kube-cascade/keycloak/tf/oidc-client/werts.tf

variable "realm_id" { }
variable "client_id" { }
variable "client_name" { default = "" }
variable "client_secret" {
  type = string
  default = ""
  description = "sets client_secret if set.  a random 128 digit secret will be generated if this is not set or set to an empty string.  this secret is very long because of the lack of specials."
}
variable "keepers" {
  type = map
  default = {}
  description = "keepers used to determine when to rotate a random client_secret.  only used if client_secret is unset."
}
variable "redirect_uris" {
  type = list(string)
  default = []
}
variable "vault_kv_path" {
  default = "kvv2"
}
variable "vault_secret_name" {
  description = "secret object name (path-like thing in kvv2, not secret object key either -- those are client_id and client_secret)"
  type = string
  default = ""
}
variable "backchannel_logout_url" { default = "" }
variable "backchannel_logout_session_required" { default = false }
variable "secret_metadata" {
  type = map
  default = {}
}

resource "random_password" "client_secret" {
  keepers = var.keepers
  count = var.client_secret == "" ? 1 : 0

  special = false
  length = 86  # 62**86 > 2**512 (but 62**85 is not)
}

variable "kubernetes_secret_name" {
  default = ""
}

variable "kubernetes_secret_namespace" {
  default = ""
}

variable "kubernetes_secret_client_id_key" {
  default = "client_id"
}

variable "kubernetes_secret_client_secret_key" {
  default = "client_secret"
}

locals {
  client_name = var.client_name == "" ? var.client_id : var.client_name
  client_secret = var.client_secret == "" ? random_password.client_secret.0.result : var.client_secret
  kubernetes_secret_namespace = var.kubernetes_secret_namespace == "" ? local.client_name : var.kubernetes_secret_namespace
}

resource "keycloak_openid_client" "openid_client" {
  realm_id            = var.realm_id
  client_id           = var.client_id
  client_secret       = local.client_secret

  name                = local.client_name
  enabled             = true

  standard_flow_enabled = true
  access_type         = "CONFIDENTIAL"
  valid_redirect_uris = var.redirect_uris

  backchannel_logout_url = var.backchannel_logout_url
  backchannel_logout_session_required = var.backchannel_logout_session_required

  login_theme = "keycloak"
}

#resource "vault_kv_secret_v2" "oidc_client" {
#  count = var.vault_secret_name == "" ? 0 : 1
#  mount                      = var.vault_kv_path
#  name                       = var.vault_secret_name
#  data_json                  = jsonencode(
#  {
#    client_id     = keycloak_openid_client.openid_client.client_id
#    client_secret = keycloak_openid_client.openid_client.client_secret
#  }
#  )
#  custom_metadata {
#    data = var.secret_metadata
#  }
#}

resource "kubernetes_secret" "oidc_client" {
  count = var.kubernetes_secret_name == "" ? 0 : 1

  metadata {
    name = var.kubernetes_secret_name
    namespace = local.kubernetes_secret_namespace
  }

  data = {
    "${var.kubernetes_secret_client_id_key}" = keycloak_openid_client.openid_client.client_id
    "${var.kubernetes_secret_client_secret_key}" = keycloak_openid_client.openid_client.client_secret
  }
}


output "client_id" {
  value = resource.keycloak_openid_client.openid_client.client_id
  sensitive = true
}
output "client_secret" {
  value = resource.keycloak_openid_client.openid_client.client_secret
  sensitive = true
}
add keycloak 2023-12-19 22:19:09 +00:00			`variable "realm_id" { }`
			`variable "client_id" { }`
			`variable "client_name" { default = "" }`
			`variable "client_secret" {`
			`type = string`
			`default = ""`
			`description = "sets client_secret if set. a random 128 digit secret will be generated if this is not set or set to an empty string. this secret is very long because of the lack of specials."`
			`}`
			`variable "keepers" {`
			`type = map`
			`default = {}`
			`description = "keepers used to determine when to rotate a random client_secret. only used if client_secret is unset."`
			`}`
			`variable "redirect_uris" {`
			`type = list(string)`
			`default = []`
			`}`
			`variable "vault_kv_path" {`
			`default = "kvv2"`
			`}`
			`variable "vault_secret_name" {`
			`description = "secret object name (path-like thing in kvv2, not secret object key either -- those are client_id and client_secret)"`
			`type = string`
			`default = ""`
			`}`
			`variable "backchannel_logout_url" { default = "" }`
			`variable "backchannel_logout_session_required" { default = false }`
			`variable "secret_metadata" {`
			`type = map`
			`default = {}`
			`}`

			`resource "random_password" "client_secret" {`
			`keepers = var.keepers`
			`count = var.client_secret == "" ? 1 : 0`

			`special = false`
			`length = 86 # 6286 > 2512 (but 62**85 is not)`
			`}`

			`variable "kubernetes_secret_name" {`
			`default = ""`
			`}`

			`variable "kubernetes_secret_namespace" {`
			`default = ""`
			`}`

			`variable "kubernetes_secret_client_id_key" {`
			`default = "client_id"`
			`}`

			`variable "kubernetes_secret_client_secret_key" {`
			`default = "client_secret"`
			`}`

			`locals {`
			`client_name = var.client_name == "" ? var.client_id : var.client_name`
			`client_secret = var.client_secret == "" ? random_password.client_secret.0.result : var.client_secret`
			`kubernetes_secret_namespace = var.kubernetes_secret_namespace == "" ? local.client_name : var.kubernetes_secret_namespace`
			`}`

			`resource "keycloak_openid_client" "openid_client" {`
			`realm_id = var.realm_id`
			`client_id = var.client_id`
			`client_secret = local.client_secret`

			`name = local.client_name`
			`enabled = true`

			`standard_flow_enabled = true`
			`access_type = "CONFIDENTIAL"`
			`valid_redirect_uris = var.redirect_uris`

			`backchannel_logout_url = var.backchannel_logout_url`
			`backchannel_logout_session_required = var.backchannel_logout_session_required`

			`login_theme = "keycloak"`
			`}`

			`#resource "vault_kv_secret_v2" "oidc_client" {`
			`# count = var.vault_secret_name == "" ? 0 : 1`
			`# mount = var.vault_kv_path`
			`# name = var.vault_secret_name`
			`# data_json = jsonencode(`
			`# {`
			`# client_id = keycloak_openid_client.openid_client.client_id`
			`# client_secret = keycloak_openid_client.openid_client.client_secret`
			`# }`
			`# )`
			`# custom_metadata {`
			`# data = var.secret_metadata`
			`# }`
			`#}`

			`resource "kubernetes_secret" "oidc_client" {`
			`count = var.kubernetes_secret_name == "" ? 0 : 1`

			`metadata {`
			`name = var.kubernetes_secret_name`
			`namespace = local.kubernetes_secret_namespace`
			`}`

			`data = {`
			`"${var.kubernetes_secret_client_id_key}" = keycloak_openid_client.openid_client.client_id`
			`"${var.kubernetes_secret_client_secret_key}" = keycloak_openid_client.openid_client.client_secret`
			`}`
			`}`


			`output "client_id" {`
			`value = resource.keycloak_openid_client.openid_client.client_id`
			`sensitive = true`
			`}`
			`output "client_secret" {`
			`value = resource.keycloak_openid_client.openid_client.client_secret`
			`sensitive = true`
			`}`