ab/homelab
1
1
Fork 1
Code Issues Pull Requests 70 Actions Packages Wiki Activity
Files
6be43864a8c7e795399e43d7654d002e547dbfd1
homelab/terraform/keycloak/main.tf
T
Ultradesu dd77d32efe
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 7s
Details
Check with kubeconform / lint (push) Successful in 6s
Details
Auto-update README / Generate README and Create MR (push) Successful in 25s
Details
deployed auth-proxy
2026-05-05 15:21:27 +01:00

173 lines
4.5 KiB
Terraform
Raw Blame History

# =============================================================================
# Realm
# =============================================================================
resource "keycloak_realm" "hexor" {
realm = "hexor"
enabled = true
display_name = "Hexor"
login_theme = "keycloak"
account_theme = "keycloak.v3"
registration_allowed = false
reset_password_allowed = true
remember_me = true
verify_email = false
login_with_email_allowed = true
duplicate_emails_allowed = false
ssl_required = "external"
}
# =============================================================================
# Google Identity Provider
# =============================================================================
resource "keycloak_oidc_google_identity_provider" "google" {
realm = keycloak_realm.hexor.id
client_id = var.google_client_id
client_secret = var.google_client_secret
trust_email = true
sync_mode = "IMPORT"
}
# =============================================================================
# Standalone groups
# =============================================================================
resource "keycloak_group" "standalone" {
for_each = toset(var.groups)
realm_id = keycloak_realm.hexor.id
name = each.value
}
resource "keycloak_default_groups" "default" {
realm_id = keycloak_realm.hexor.id
group_ids = [for g in keycloak_group.standalone : g.id if g.name == "users"]
}
# =============================================================================
# rsauth2-proxy client (production)
# =============================================================================
resource "keycloak_openid_client" "rsauth2_proxy" {
realm_id = keycloak_realm.hexor.id
client_id = "rsauth2-proxy"
name = "rsauth2-proxy"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
direct_access_grants_enabled = false
valid_redirect_uris = [
"https://oauth.hexor.cy/callback",
]
web_origins = [
"https://oauth.hexor.cy",
]
}
resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" {
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.rsauth2_proxy.id
name = "groups"
claim_name = "groups"
full_path = false
}
resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.rsauth2_proxy.id
default_scopes = [
"openid",
"profile",
"email",
]
}
# =============================================================================
# rsauth2-proxy client (localhost testing)
# =============================================================================
resource "keycloak_openid_client" "rsauth2_proxy_dev" {
realm_id = keycloak_realm.hexor.id
client_id = "rsauth2-proxy-dev"
name = "rsauth2-proxy (dev)"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
direct_access_grants_enabled = false
valid_redirect_uris = [
"http://localhost:8080/callback",
]
web_origins = [
"http://localhost:8080",
]
}
resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.rsauth2_proxy_dev.id
name = "groups"
claim_name = "groups"
full_path = false
}
resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.rsauth2_proxy_dev.id
default_scopes = [
"openid",
"profile",
"email",
]
}
# =============================================================================
# Proxy applications — auto-created groups + routes ConfigMap
# =============================================================================
resource "keycloak_group" "app" {
for_each = var.proxy_applications
realm_id = keycloak_realm.hexor.id
name = "app-${each.key}"
}
locals {
app_allowed_groups = {
for k, v in var.proxy_applications : k => concat(
["app-${k}"],
v.allowed_groups
)
}
}
resource "kubernetes_config_map" "auth_proxy_routes" {
metadata {
name = "auth-proxy-routes"
namespace = "auth-proxy"
}
data = {
"routes.yaml" = yamlencode({
routes = {
for k, v in var.proxy_applications : v.domain => {
allowed_groups = local.app_allowed_groups[k]
}
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink