Create phlat staging client

filipflorek commented 1 month ago

Changes being made

Creating PHLAT WEB and SERVICE clients. Updating UMS/UMC config, group management and realm roles so that it's available for admins through UMC.

Context

PHLAT staging environment uses different dataset so they require a separate client.

Quality Check

[x] Client has Name and Description defined.
[x] Full Scope Allowed is disabled.
[x] Direct Access Grants Enabled is disabled.
[x] Valid Redirect URIs are properly defined, or explanation for * (allow all) is provided.
[x] Web Origins are set to + instead of * to restrict the CORS origins.
[x] Client Scopes are not assigned to client, or explanation for doing so is provided.
[x] Client module and all references are defined in clients.tf in realm root folder. Same rule applies to other resources, like groups and realm roles.
[x] Terraform plan contains only my changes, or other developers are aware that their manual changes can be overridden.
[x] CMDB is updated, if applicable.
[x] When updating composite roles (eg. Realm roles) and scope mapping resources, remember to re-run the apply.

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Show Plan

``` + full_scope_allowed = false + id = (known after apply) + implicit_flow_enabled = false + name = "PHLAT STAGING" + oauth2_device_authorization_grant_enabled = false + pkce_code_challenge_method = "S256" + realm_id = "moh_applications" + resource_server_id = (known after apply) + service_account_user_id = (known after apply) + service_accounts_enabled = false + standard_flow_enabled = true + use_refresh_tokens = true + use_refresh_tokens_client_credentials = false + valid_redirect_uris = [ + "https://phlat-stg.hlth.gov.bc.ca/*", ] + web_origins = [ + "+", ] } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT-WEB-STAGING.keycloak_openid_user_client_role_protocol_mapper.Client-Role-Mapper-PHLAT will be created + resource "keycloak_openid_user_client_role_protocol_mapper" "Client-Role-Mapper-PHLAT" { + add_to_access_token = true + add_to_id_token = true + add_to_userinfo = true + claim_name = "roles" + claim_value_type = "String" + client_id = (known after apply) + client_id_for_role_mappings = "PHLAT-WEB-STAGING" + id = (known after apply) + multivalued = true + name = "PHLAT Role Mapper" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT-SERVICE-STAGING.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PLR_STG/REG_ADMIN"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = (known after apply) + id = (known after apply) + realm_id = "moh_applications" + role_id = "6c7a0719-a159-4f72-a7c3-513ab1509354" } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT-SERVICE-STAGING.module.service-account-roles.keycloak_openid_client_service_account_realm_role.ROLE["default-roles-moh_applications"] will be created + resource "keycloak_openid_client_service_account_realm_role" "ROLE" { + id = (known after apply) + realm_id = "moh_applications" + role = "default-roles-moh_applications" + service_account_user_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT-SERVICE-STAGING.module.service-account-roles.keycloak_openid_client_service_account_role.ROLE["PLR_STG/REG_ADMIN"] will be created + resource "keycloak_openid_client_service_account_role" "ROLE" { + client_id = "2e161683-3c4d-4a2a-a86b-c83f2fe3e3d7" + id = (known after apply) + realm_id = "moh_applications" + role = "REG_ADMIN" + service_account_user_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT-WEB-STAGING.module.client-roles.keycloak_role.ROLES["REG_ADMIN"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_ADMIN" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT-WEB-STAGING.module.client-roles.keycloak_role.ROLES["REG_USER"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_USER" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["USER-MANAGEMENT-SERVICE/view-client-phlat-web-staging"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "cc4d80a5-4a1c-4d80-a2c3-59d3ebde880d" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT-SERVICE.module.client-roles.keycloak_role.ROLES["view-client-phlat-web-staging"] will be created + resource "keycloak_role" "ROLES" { + client_id = "ab6e0d99-9205-4625-8ea4-88835ddd36ae" + id = (known after apply) + name = "view-client-phlat-web-staging" + realm_id = "moh_applications" } Plan: 14 to add, 2 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. ```

Pushed by: @filipflorek, Action: pull_request

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Show Plan

``` + full_scope_allowed = false + id = (known after apply) + implicit_flow_enabled = false + name = "PHLAT STAGING" + oauth2_device_authorization_grant_enabled = false + pkce_code_challenge_method = "S256" + realm_id = "moh_applications" + resource_server_id = (known after apply) + service_account_user_id = (known after apply) + service_accounts_enabled = false + standard_flow_enabled = true + use_refresh_tokens = true + use_refresh_tokens_client_credentials = false + valid_redirect_uris = [ + "https://phlat-stg.hlth.gov.bc.ca/*", ] + web_origins = [ + "+", ] } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT_STG-WEB.keycloak_openid_user_client_role_protocol_mapper.Client-Role-Mapper-PHLAT will be created + resource "keycloak_openid_user_client_role_protocol_mapper" "Client-Role-Mapper-PHLAT" { + add_to_access_token = true + add_to_id_token = true + add_to_userinfo = true + claim_name = "roles" + claim_value_type = "String" + client_id = (known after apply) + client_id_for_role_mappings = "PHLAT_STG-WEB" + id = (known after apply) + multivalued = true + name = "PHLAT Role Mapper" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT_STG-SERVICE.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PLR_STG/REG_ADMIN"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = (known after apply) + id = (known after apply) + realm_id = "moh_applications" + role_id = "6c7a0719-a159-4f72-a7c3-513ab1509354" } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT_STG-SERVICE.module.service-account-roles.keycloak_openid_client_service_account_realm_role.ROLE["default-roles-moh_applications"] will be created + resource "keycloak_openid_client_service_account_realm_role" "ROLE" { + id = (known after apply) + realm_id = "moh_applications" + role = "default-roles-moh_applications" + service_account_user_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT_STG-SERVICE.module.service-account-roles.keycloak_openid_client_service_account_role.ROLE["PLR_STG/REG_ADMIN"] will be created + resource "keycloak_openid_client_service_account_role" "ROLE" { + client_id = "2e161683-3c4d-4a2a-a86b-c83f2fe3e3d7" + id = (known after apply) + realm_id = "moh_applications" + role = "REG_ADMIN" + service_account_user_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT_STG-WEB.module.client-roles.keycloak_role.ROLES["REG_ADMIN"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_ADMIN" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PHLAT_STG-WEB.module.client-roles.keycloak_role.ROLES["REG_USER"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_USER" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["USER-MANAGEMENT-SERVICE/view-client-phlat_stg-web"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "cc4d80a5-4a1c-4d80-a2c3-59d3ebde880d" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT-SERVICE.module.client-roles.keycloak_role.ROLES["view-client-phlat_stg-web"] will be created + resource "keycloak_role" "ROLES" { + client_id = "ab6e0d99-9205-4625-8ea4-88835ddd36ae" + id = (known after apply) + name = "view-client-phlat_stg-web" + realm_id = "moh_applications" } Plan: 14 to add, 2 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. ```

Pushed by: @filipflorek, Action: pull_request

bcgov / moh-keycloak-client-configurations