variable "realm_id" { } variable "client_id" { } variable "client_name" { default = "" } variable "client_secret" { type = string default = "" description = "sets client_secret if set. a random 128 digit secret will be generated if this is not set or set to an empty string. this secret is very long because of the lack of specials." } variable "keepers" { type = map default = {} description = "keepers used to determine when to rotate a random client_secret. only used if client_secret is unset." } variable "redirect_uris" { type = list(string) default = [] } variable "vault_kv_path" { default = "kvv2" } variable "vault_secret_name" { description = "secret object name (path-like thing in kvv2, not secret object key either -- those are client_id and client_secret)" type = string default = "" } variable "backchannel_logout_url" { default = "" } variable "backchannel_logout_session_required" { default = false } variable "secret_metadata" { type = map default = {} } resource "random_password" "client_secret" { keepers = var.keepers count = var.client_secret == "" ? 1 : 0 special = false length = 86 # 62**86 > 2**512 (but 62**85 is not) } variable "kubernetes_secret_name" { default = "" } variable "kubernetes_secret_namespace" { default = "" } variable "kubernetes_secret_client_id_key" { default = "client_id" } variable "kubernetes_secret_client_secret_key" { default = "client_secret" } locals { client_name = var.client_name == "" ? var.client_id : var.client_name client_secret = var.client_secret == "" ? random_password.client_secret.0.result : var.client_secret kubernetes_secret_namespace = var.kubernetes_secret_namespace == "" ? local.client_name : var.kubernetes_secret_namespace } resource "keycloak_openid_client" "openid_client" { realm_id = var.realm_id client_id = var.client_id client_secret = local.client_secret name = local.client_name enabled = true standard_flow_enabled = true access_type = "CONFIDENTIAL" valid_redirect_uris = var.redirect_uris backchannel_logout_url = var.backchannel_logout_url backchannel_logout_session_required = var.backchannel_logout_session_required login_theme = "keycloak" } #resource "vault_kv_secret_v2" "oidc_client" { # count = var.vault_secret_name == "" ? 0 : 1 # mount = var.vault_kv_path # name = var.vault_secret_name # data_json = jsonencode( # { # client_id = keycloak_openid_client.openid_client.client_id # client_secret = keycloak_openid_client.openid_client.client_secret # } # ) # custom_metadata { # data = var.secret_metadata # } #} resource "kubernetes_secret" "oidc_client" { count = var.kubernetes_secret_name == "" ? 0 : 1 metadata { name = var.kubernetes_secret_name namespace = local.kubernetes_secret_namespace } data = { "${var.kubernetes_secret_client_id_key}" = keycloak_openid_client.openid_client.client_id "${var.kubernetes_secret_client_secret_key}" = keycloak_openid_client.openid_client.client_secret } } output "client_id" { value = resource.keycloak_openid_client.openid_client.client_id sensitive = true } output "client_secret" { value = resource.keycloak_openid_client.openid_client.client_secret sensitive = true }