Add Terraform Stage 1

2023-09-14 07:09:02 +02:00
parent af3e66f901
commit f0bae5e031
23 changed files with 597 additions and 0 deletions
--- a/tf-stage-1/modules/dns/dns.tf
+++ b/tf-stage-1/modules/dns/dns.tf
@ -0,0 +1,14 @@
+resource "cloudflare_zone" "zone" {
+  account_id = var.account_id
+  zone       = var.zone
+}
+
+resource "cloudflare_record" "records" {
+  zone_id  = cloudflare_zone.zone.id
+  for_each = { for record in var.records : uuidv5("dns", "${record.type}/${record.name}/${record.value}") => record } # Hackery.
+  name     = each.value.name
+  value    = each.value.value
+  type     = each.value.type
+  ttl      = 1
+  priority = each.value.type == "MX" ? each.value.priority : null
+}
--- a/tf-stage-1/modules/dns/main.tf
+++ b/tf-stage-1/modules/dns/main.tf
@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+}
+
--- a/tf-stage-1/modules/dns/variables.tf
+++ b/tf-stage-1/modules/dns/variables.tf
@ -0,0 +1,10 @@
+variable "account_id" {
+  type      = string
+  sensitive = true
+}
+variable "zone" {
+  type = string
+}
+variable "records" {
+  type = set(object({ type = string, name = string, value = string, priority = optional(number) }))
+}
--- a/tf-stage-1/modules/kc-client/client.tf
+++ b/tf-stage-1/modules/kc-client/client.tf
@ -0,0 +1,74 @@
+data "keycloak_realm" "realm" {
+  realm = var.realm
+}
+
+resource "keycloak_openid_client" "client" {
+  realm_id  = data.keycloak_realm.realm.id
+  client_id = var.client_id
+  client_secret = var.client_secret
+
+  name        = var.client_name
+  description = var.description
+
+  enabled                   = var.enabled
+  access_type               = var.access_type
+  client_authenticator_type = var.client_authenticator_type
+
+  root_url               = var.root_url
+  base_url               = var.base_url
+  admin_url              = var.admin_url
+  backchannel_logout_url = var.backchannel_logout_url
+
+  valid_redirect_uris = var.valid_redirect_uris
+  web_origins         = var.web_origins
+
+  login_theme = var.login_theme
+
+  standard_flow_enabled        = true
+  implicit_flow_enabled        = false
+  direct_access_grants_enabled = true
+  service_accounts_enabled     = false
+  frontchannel_logout_enabled  = false
+
+}
+
+resource "keycloak_role" "restricted-access" {
+  realm_id    = data.keycloak_realm.realm.id
+  client_id   = keycloak_openid_client.client.id
+  name        = "restricted-access"
+  description = "Restricts access to the client"
+}
+
+resource "keycloak_role" "admin-role" {
+  realm_id    = data.keycloak_realm.realm.id
+  client_id   = keycloak_openid_client.client.id
+  name        = "${var.admin_role_name != null ? "${var.admin_role_name}" : "${var.client_name}-admin"}"
+  description = "Client Admin permissions"
+}
+
+resource "keycloak_group" "access_group" {
+  realm_id = data.keycloak_realm.realm.id
+  name     = var.client_name
+}
+
+resource "keycloak_group" "admin_group" {
+  realm_id = data.keycloak_realm.realm.id
+  parent_id = keycloak_group.access_group.id
+  name     = "${var.client_name}-admin"
+}
+
+resource "keycloak_group_roles" "access_group_roles" {
+  realm_id = data.keycloak_realm.realm.id
+  group_id = keycloak_group.access_group.id
+  role_ids = [
+    keycloak_role.restricted-access.id
+  ]
+}
+
+resource "keycloak_group_roles" "admin_group_roles" {
+  realm_id = data.keycloak_realm.realm.id
+  group_id = keycloak_group.admin_group.id
+  role_ids = [
+    keycloak_role.admin-role.id
+  ]
+}
--- a/tf-stage-1/modules/kc-client/main.tf
+++ b/tf-stage-1/modules/kc-client/main.tf
@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source = "mrparkers/keycloak"
+      version = "~> 4.3.0"
+    }
+  }
+}
--- a/tf-stage-1/modules/kc-client/outputs.tf
+++ b/tf-stage-1/modules/kc-client/outputs.tf
@ -0,0 +1,12 @@
+output "client" {
+  value = keycloak_openid_client.client
+}
+output "admin_group" {
+  value = keycloak_group.admin_group
+}
+output "access_group" {
+  value = keycloak_group.access_group
+}
+output "realm" {
+  value = data.keycloak_realm.realm
+}
--- a/tf-stage-1/modules/kc-client/variables.tf
+++ b/tf-stage-1/modules/kc-client/variables.tf
@ -0,0 +1,75 @@
+variable "client_id" {
+  type = string
+}
+variable "client_name" {
+  type = string
+}
+
+variable "admin_role_name" {
+  type = string
+  default = null
+}
+
+variable "client_secret" {
+  type      = string
+  default   = null
+  sensitive = true
+}
+
+variable "description" {
+  type = string
+}
+variable "access_type" {
+  type    = string
+  default = "CONFIDENTIAL"
+}
+
+variable "realm" {
+  type = string
+}
+
+variable "client_authenticator_type" {
+  type    = string
+  default = "client-secret"
+}
+
+variable "root_url" { # requires web_origins, admin_url and valid_redirect_uris to be set...
+  type    = string
+  default = null
+}
+
+variable "admin_url" {
+  type    = string
+  default = null
+}
+
+variable "base_url" {
+  type    = string
+  default = null
+}
+
+variable "web_origins" {
+  type    = list(string)
+  default = null
+}
+
+variable "backchannel_logout_url" {
+  type        = string
+  default     = null
+  description = "The URL to which a backchannel logout request will be sent from the Keycloak server."
+}
+variable "valid_redirect_uris" {
+  type = list(string)
+}
+variable "enabled" {
+  type    = bool
+  default = true
+}
+
+
+# Default settings for all clients:
+
+variable "login_theme" {
+  type    = string
+  default = "keywind"
+}