infrastructure/tf-stage-1/service_grafana.tf
2024-03-11 06:57:15 +01:00

111 lines
3.4 KiB
HCL

module "grafanaclient" {
source = "./modules/kc-client"
realm = var.realm
client_id = "grafana"
client_name = "Grafana"
client_secret = var.grafana_secret
description = "https://grafana.tobiasmanske.de"
admin_role_name = "serveradmin"
root_url = "https://grafana.tobiasmanske.de"
admin_url = "https://grafana.tobiasmanske.de"
base_url = "https://grafana.tobiasmanske.de"
valid_redirect_uris = ["https://grafana.tobiasmanske.de/*"]
web_origins = ["https://grafana.tobiasmanske.de"]
}
resource "keycloak_openid_group_membership_protocol_mapper" "grafana-membership-mapper" {
realm_id = module.grafanaclient.realm.id
client_id = module.grafanaclient.client.id
name = "Group Mapper"
claim_name = "groups"
full_path = false
add_to_userinfo = true
add_to_access_token = false
add_to_id_token = true
}
resource "keycloak_openid_user_property_protocol_mapper" "grafana-username-mapper" {
realm_id = module.grafanaclient.realm.id
client_id = module.grafanaclient.client.id
name = "username"
user_property = "username"
claim_name = "preferred_username"
add_to_userinfo = true
add_to_access_token = true
add_to_id_token = false
}
resource "keycloak_openid_user_client_role_protocol_mapper" "grafana-role-mapper" {
realm_id = module.grafanaclient.realm.id
client_id = module.grafanaclient.client.id
multivalued = true
name = "user-client-role-mapper"
claim_name = "resource_access.$${client_id}.roles"
add_to_userinfo = true
add_to_access_token = true
add_to_id_token = false
}
resource "keycloak_role" "grafana-admin" {
realm_id = module.grafanaclient.realm.id
client_id = module.grafanaclient.client.id
name = "admin"
description = "Admin"
}
resource "keycloak_role" "grafana-editor" {
realm_id = module.grafanaclient.realm.id
client_id = module.grafanaclient.client.id
name = "editor"
description = "Editor"
}
resource "keycloak_role" "grafana-viewer" {
realm_id = module.grafanaclient.realm.id
client_id = module.grafanaclient.client.id
name = "viewer"
description = "Viewer"
}
resource "keycloak_group" "grafana_viewer_group" {
realm_id = module.grafanaclient.realm.id
parent_id = module.grafanaclient.access_group.id
name = "grafana-viewer"
}
resource "keycloak_group" "grafana_editor_group" {
realm_id = module.grafanaclient.realm.id
parent_id = module.grafanaclient.access_group.id
name = "grafana-editor"
}
resource "keycloak_group" "grafana_orgadmin_group" {
realm_id = module.grafanaclient.realm.id
parent_id = module.grafanaclient.access_group.id
name = "grafana-orgadmin"
}
resource "keycloak_group_roles" "grafana_viewer_roles" {
realm_id = module.grafanaclient.realm.id
group_id = keycloak_group.grafana_viewer_group.id
role_ids = [
keycloak_role.grafana-viewer.id
]
}
resource "keycloak_group_roles" "grafana_editor_roles" {
realm_id = module.grafanaclient.realm.id
group_id = keycloak_group.grafana_editor_group.id
role_ids = [
keycloak_role.grafana-editor.id
]
}
resource "keycloak_group_roles" "grafana_orgadmin_roles" {
realm_id = module.grafanaclient.realm.id
group_id = keycloak_group.grafana_orgadmin_group.id
role_ids = [
keycloak_role.grafana-admin.id
]
}