Add all admin and access roles to super admin group

2024-01-16 01:34:02 +01:00 · 2024-01-16 01:34:02 +01:00 · de76894eb4
parent 5f2c316033
commit de76894eb4
1 changed files with 25 additions and 10 deletions
--- a/tf-stage-1/modules/kc-client/client.tf
+++ b/tf-stage-1/modules/kc-client/client.tf
@ -3,8 +3,8 @@ data "keycloak_realm" "realm" {
 }

 resource "keycloak_openid_client" "client" {
-  realm_id  = data.keycloak_realm.realm.id
-  client_id = var.client_id
+  realm_id      = data.keycloak_realm.realm.id
+  client_id     = var.client_id
  client_secret = var.client_secret

  name        = var.client_name
@ -24,11 +24,11 @@ resource "keycloak_openid_client" "client" {

  login_theme = var.login_theme

-  standard_flow_enabled        = true
-  implicit_flow_enabled        = false
-  direct_access_grants_enabled = true
-  service_accounts_enabled     = false
-  frontchannel_logout_enabled  = var.frontchannel_logout_enabled
+  standard_flow_enabled                     = true
+  implicit_flow_enabled                     = false
+  direct_access_grants_enabled              = true
+  service_accounts_enabled                  = false
+  frontchannel_logout_enabled               = var.frontchannel_logout_enabled
  oauth2_device_authorization_grant_enabled = var.device_authorization_grant_enabled

 }
@ -43,7 +43,7 @@ resource "keycloak_role" "restricted-access" {
 resource "keycloak_role" "admin-role" {
  realm_id    = data.keycloak_realm.realm.id
  client_id   = keycloak_openid_client.client.id
-  name        = "${var.admin_role_name != null ? "${var.admin_role_name}" : "${var.client_name}-admin"}"
+  name        = var.admin_role_name != null ? "${var.admin_role_name}" : "${var.client_name}-admin"
  description = "Client Admin permissions"
 }

@ -53,9 +53,9 @@ resource "keycloak_group" "access_group" {
 }

 resource "keycloak_group" "admin_group" {
-  realm_id = data.keycloak_realm.realm.id
+  realm_id  = data.keycloak_realm.realm.id
  parent_id = keycloak_group.access_group.id
-  name     = "${var.client_name}-admin"
+  name      = "${var.client_name}-admin"
 }

 resource "keycloak_group_roles" "access_group_roles" {
@ -73,3 +73,18 @@ resource "keycloak_group_roles" "admin_group_roles" {
    keycloak_role.admin-role.id
  ]
 }
+
+data "keycloak_group" "super_admin_group" {
+  realm_id = data.keycloak_realm.realm.id
+  name     = "service-admin"
+}
+
+resource "keycloak_group_roles" "super_admin_group_roles" {
+  exhaustive = false
+  realm_id   = data.keycloak_realm.realm.id
+  group_id   = data.keycloak_group.super_admin_group.id
+  role_ids = [
+    keycloak_role.restricted-access.id,
+    keycloak_role.admin-role.id
+  ]
+}