119 lines
3.3 KiB
HCL
119 lines
3.3 KiB
HCL
variable "realm_id" { }
|
|
variable "client_id" { }
|
|
variable "client_name" { default = "" }
|
|
variable "client_secret" {
|
|
type = string
|
|
default = ""
|
|
description = "sets client_secret if set. a random 128 digit secret will be generated if this is not set or set to an empty string. this secret is very long because of the lack of specials."
|
|
}
|
|
variable "keepers" {
|
|
type = map
|
|
default = {}
|
|
description = "keepers used to determine when to rotate a random client_secret. only used if client_secret is unset."
|
|
}
|
|
variable "redirect_uris" {
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
variable "vault_kv_path" {
|
|
default = "kvv2"
|
|
}
|
|
variable "vault_secret_name" {
|
|
description = "secret object name (path-like thing in kvv2, not secret object key either -- those are client_id and client_secret)"
|
|
type = string
|
|
default = ""
|
|
}
|
|
variable "backchannel_logout_url" { default = "" }
|
|
variable "backchannel_logout_session_required" { default = false }
|
|
variable "secret_metadata" {
|
|
type = map
|
|
default = {}
|
|
}
|
|
|
|
resource "random_password" "client_secret" {
|
|
keepers = var.keepers
|
|
count = var.client_secret == "" ? 1 : 0
|
|
|
|
special = false
|
|
length = 86 # 62**86 > 2**512 (but 62**85 is not)
|
|
}
|
|
|
|
variable "kubernetes_secret_name" {
|
|
default = ""
|
|
}
|
|
|
|
variable "kubernetes_secret_namespace" {
|
|
default = ""
|
|
}
|
|
|
|
variable "kubernetes_secret_client_id_key" {
|
|
default = "client_id"
|
|
}
|
|
|
|
variable "kubernetes_secret_client_secret_key" {
|
|
default = "client_secret"
|
|
}
|
|
|
|
locals {
|
|
client_name = var.client_name == "" ? var.client_id : var.client_name
|
|
client_secret = var.client_secret == "" ? random_password.client_secret.0.result : var.client_secret
|
|
kubernetes_secret_namespace = var.kubernetes_secret_namespace == "" ? local.client_name : var.kubernetes_secret_namespace
|
|
}
|
|
|
|
resource "keycloak_openid_client" "openid_client" {
|
|
realm_id = var.realm_id
|
|
client_id = var.client_id
|
|
client_secret = local.client_secret
|
|
|
|
name = local.client_name
|
|
enabled = true
|
|
|
|
standard_flow_enabled = true
|
|
access_type = "CONFIDENTIAL"
|
|
valid_redirect_uris = var.redirect_uris
|
|
|
|
backchannel_logout_url = var.backchannel_logout_url
|
|
backchannel_logout_session_required = var.backchannel_logout_session_required
|
|
|
|
login_theme = "keycloak"
|
|
}
|
|
|
|
#resource "vault_kv_secret_v2" "oidc_client" {
|
|
# count = var.vault_secret_name == "" ? 0 : 1
|
|
# mount = var.vault_kv_path
|
|
# name = var.vault_secret_name
|
|
# data_json = jsonencode(
|
|
# {
|
|
# client_id = keycloak_openid_client.openid_client.client_id
|
|
# client_secret = keycloak_openid_client.openid_client.client_secret
|
|
# }
|
|
# )
|
|
# custom_metadata {
|
|
# data = var.secret_metadata
|
|
# }
|
|
#}
|
|
|
|
resource "kubernetes_secret" "oidc_client" {
|
|
count = var.kubernetes_secret_name == "" ? 0 : 1
|
|
|
|
metadata {
|
|
name = var.kubernetes_secret_name
|
|
namespace = local.kubernetes_secret_namespace
|
|
}
|
|
|
|
data = {
|
|
"${var.kubernetes_secret_client_id_key}" = keycloak_openid_client.openid_client.client_id
|
|
"${var.kubernetes_secret_client_secret_key}" = keycloak_openid_client.openid_client.client_secret
|
|
}
|
|
}
|
|
|
|
|
|
output "client_id" {
|
|
value = resource.keycloak_openid_client.openid_client.client_id
|
|
sensitive = true
|
|
}
|
|
output "client_secret" {
|
|
value = resource.keycloak_openid_client.openid_client.client_secret
|
|
sensitive = true
|
|
}
|