Deployed rsauth2-proxy

terraform/keycloak/.terraform.lock.hcl

@@ -0,0 +1,27 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/keycloak/keycloak" {
+  version     = "5.7.0"
+  constraints = ">= 5.0.0"
+  hashes = [
+    "h1:3DuKdVeOxwULh7l6bvJKWZvsgSZo92rtnrdvyp+X2Lc=",
+    "zh:19be4505b17e4818db121a82917cb6723019cf379cfb82b720eaa2886f15bede",
+    "zh:2bd1565ed22db6a9fb50d60626e22c277f3b034a71f65e6c0011e42f56cad2bb",
+    "zh:34a9e2dfb06331dc6146491c4a0721001195c6a769cdc2d4546edb2acf2b39bd",
+    "zh:3f86bf9eac6d73eeaa926471826b6888da77950f68e6a3a95dc2d9201a4a88fa",
+    "zh:4b9053fde2c8dee6469c8b273bf5491a27228a1df28e30b86714118f0f876baf",
+    "zh:522aa6bcecc6b8d517415237f4ec079488ef7de0e980a634bf6a8b481c13effc",
+    "zh:52f85208815ca65b8d3cd5465b28005ba63f854122bc61fbf04925c986d48e78",
+    "zh:636555042a6051d2e1113e5f945edb9f432e2d09b81cf6e50a59a534819d98dd",
+    "zh:73a1fecfb3d9666bf87c2eb7d001281b8cfcd7132573b8c3d4febc2db55f0a2f",
+    "zh:76fa26d055ceeb0869a50e4b63871f4b07f55045af6b46b83686016531e9fb22",
+    "zh:8df147e619d7ac3d3f9840ba0d1895d34bde179e818863e2e7b52e2c05c12f58",
+    "zh:9c830253990e13ec284d0d312fea562938e4a8fc664dacb3af5f1eb16dcae1ae",
+    "zh:abd0bd630b362cd6f77fbb33625bc6f515782eb58cb096b4ce69dea252254aef",
+    "zh:d1474a67ffc3288b2d0c99f6e8edc937ac8ef54afed0306e3c6f033aa836a5f6",
+    "zh:ed19408f15667bfb572120858bdde929a20ce2d1f29468973905980c03299767",
+    "zh:ef8bc311f7d1ad821b65ba43af92e2ce835e739d391098b13e01a61747b5c648",
+    "zh:f57319d9a7ac387d5070c909fd0084ccfc296f1f3193efde995ae24aa1729a39",
+  ]
+}

terraform/keycloak/main.tf

@@ -0,0 +1,133 @@
+# =============================================================================
+# Realm
+# =============================================================================
+
+resource "keycloak_realm" "hexor" {
+  realm   = "hexor"
+  enabled = true
+
+  display_name = "Hexor"
+
+  login_theme   = "keycloak"
+  account_theme = "keycloak.v3"
+
+  registration_allowed     = false
+  reset_password_allowed   = true
+  remember_me              = true
+  verify_email             = false
+  login_with_email_allowed = true
+  duplicate_emails_allowed = false
+
+  ssl_required = "external"
+}
+
+# =============================================================================
+# Google Identity Provider
+# =============================================================================
+
+resource "keycloak_oidc_google_identity_provider" "google" {
+  realm         = keycloak_realm.hexor.id
+  client_id     = var.google_client_id
+  client_secret = var.google_client_secret
+
+  trust_email = true
+  sync_mode   = "IMPORT"
+}
+
+# =============================================================================
+# Default groups
+# =============================================================================
+
+resource "keycloak_group" "users" {
+  realm_id = keycloak_realm.hexor.id
+  name     = "users"
+}
+
+resource "keycloak_default_groups" "default" {
+  realm_id  = keycloak_realm.hexor.id
+  group_ids = [keycloak_group.users.id]
+}
+
+# =============================================================================
+# rsauth2-proxy client (production)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy"
+
+  name                         = "rsauth2-proxy"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "https://oauth.hexor.cy/callback",
+  ]
+
+  web_origins = [
+    "https://oauth.hexor.cy",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}
+
+# =============================================================================
+# rsauth2-proxy client (localhost testing)
+# =============================================================================
+
+resource "keycloak_openid_client" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = "rsauth2-proxy-dev"
+
+  name                         = "rsauth2-proxy (dev)"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris = [
+    "http://localhost:8080/callback",
+  ]
+
+  web_origins = [
+    "http://localhost:8080",
+  ]
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+  ]
+}

terraform/keycloak/outputs.tf

@@ -0,0 +1,25 @@
+output "realm_id" {
+  value = keycloak_realm.hexor.id
+}
+
+output "google_idp_alias" {
+  value = keycloak_oidc_google_identity_provider.google.alias
+}
+
+output "rsauth2_proxy_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy.client_id
+}
+
+output "rsauth2_proxy_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy.client_secret
+  sensitive = true
+}
+
+output "rsauth2_proxy_dev_client_id" {
+  value = keycloak_openid_client.rsauth2_proxy_dev.client_id
+}
+
+output "rsauth2_proxy_dev_client_secret" {
+  value     = keycloak_openid_client.rsauth2_proxy_dev.client_secret
+  sensitive = true
+}

terraform/keycloak/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source  = "keycloak/keycloak"
+      version = ">= 5.0.0"
+    }
+  }
+}
+
+provider "keycloak" {
+  url           = var.keycloak_url
+  base_path     = "/auth"
+  client_id     = var.keycloak_client_id
+  client_secret = var.keycloak_client_secret
+}

terraform/keycloak/state.tf

@@ -0,0 +1,8 @@
+terraform {
+  cloud {
+    organization = "ultradesu"
+    workspaces {
+      name = "Keycloak"
+    }
+  }
+}

terraform/keycloak/variables.tf

@@ -0,0 +1,28 @@
+variable "keycloak_url" {
+  description = "Keycloak URL (set via TF_VAR_keycloak_url)"
+  type        = string
+  default     = "https://auth.hexor.cy"
+}
+
+variable "keycloak_client_id" {
+  description = "Keycloak Terraform client ID (set via TF_VAR_keycloak_client_id)"
+  type        = string
+  default     = "terraform"
+}
+
+variable "keycloak_client_secret" {
+  description = "Keycloak Terraform client secret (set via TF_VAR_keycloak_client_secret)"
+  type        = string
+  sensitive   = true
+}
+
+variable "google_client_id" {
+  description = "Google OAuth client ID (set via TF_VAR_google_client_id)"
+  type        = string
+}
+
+variable "google_client_secret" {
+  description = "Google OAuth client secret (set via TF_VAR_google_client_secret)"
+  type        = string
+  sensitive   = true
+}