promote phlat to production

filipflorek commented 1 month ago

Changes being made

Promoting PHLAT clients to Production. Changes include:

Create PHLAT-WEB client. Public client with default access token lifespan.
Create PHLAT-SERVICE client. Service account used to communicate with PLR.
Create PHLAT-MANAGEMENT group so users' access can be managed through UMC.
Update UMC and UMS config to include view-client-phlat-web role
Update ManageUsers realm role.

Context

Client onboarding PHLAT is moving to Production.

Quality Check

[x] Client has Name and Description defined.
[x] Full Scope Allowed is disabled.
[x] Direct Access Grants Enabled is disabled.
[x] Valid Redirect URIs are properly defined, or explanation for * (allow all) is provided.
[x] Web Origins are set to + instead of * to restrict the CORS origins.
[x] Client Scopes are not assigned to client, or explanation for doing so is provided.
[x] Client module and all references are defined in clients.tf in realm root folder. Same rule applies to other resources, like groups and realm roles.
[x] Terraform plan contains only my changes, or other developers are aware that their manual changes can be overridden.
[x] CMDB is updated, if applicable.
[x] When updating composite roles (eg. Realm roles) and scope mapping resources, remember to re-run the apply.

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Show Plan

``` + full_scope_allowed = false + id = (known after apply) + implicit_flow_enabled = false + name = "PHLAT" + oauth2_device_authorization_grant_enabled = false + pkce_code_challenge_method = "S256" + realm_id = "moh_applications" + resource_server_id = (known after apply) + service_account_user_id = (known after apply) + service_accounts_enabled = false + standard_flow_enabled = true + use_refresh_tokens = true + use_refresh_tokens_client_credentials = false + valid_redirect_uris = [ + "https://phlat.hlth.gov.bc.ca/*", ] + web_origins = [ + "+", ] } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-WEB.keycloak_openid_user_client_role_protocol_mapper.Client-Role-Mapper-PHLAT will be created + resource "keycloak_openid_user_client_role_protocol_mapper" "Client-Role-Mapper-PHLAT" { + add_to_access_token = true + add_to_id_token = true + add_to_userinfo = true + claim_name = "roles" + claim_value_type = "String" + client_id = (known after apply) + client_id_for_role_mappings = "PHLAT-WEB" + id = (known after apply) + multivalued = true + name = "PHLAT Role Mapper" + realm_id = "moh_applications" } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-SERVICE.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PLR/REG_ADMIN"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = (known after apply) + id = (known after apply) + realm_id = "moh_applications" + role_id = "bdc57be4-258c-4b28-b86d-f4b66e8ea8fb" } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-SERVICE.module.service-account-roles.keycloak_openid_client_service_account_realm_role.ROLE["default-roles-moh_applications"] will be created + resource "keycloak_openid_client_service_account_realm_role" "ROLE" { + id = (known after apply) + realm_id = "moh_applications" + role = "default-roles-moh_applications" + service_account_user_id = (known after apply) } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-SERVICE.module.service-account-roles.keycloak_openid_client_service_account_role.ROLE["PLR/REG_ADMIN"] will be created + resource "keycloak_openid_client_service_account_role" "ROLE" { + client_id = "cecd3d4b-f68e-4c4a-a9c4-5a2db9aef8ee" + id = (known after apply) + realm_id = "moh_applications" + role = "REG_ADMIN" + service_account_user_id = (known after apply) } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-WEB.module.client-roles.keycloak_role.ROLES["REG_ADMIN"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_ADMIN" + realm_id = "moh_applications" } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-WEB.module.client-roles.keycloak_role.ROLES["REG_USER"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_USER" + realm_id = "moh_applications" } # module.KEYCLOAK_PROD.module.moh_applications.module.USER-MANAGEMENT.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["USER-MANAGEMENT-SERVICE/view-client-phlat-web"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "64028a9d-1033-438f-8db8-681dc0a97e51" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_PROD.module.moh_applications.module.USER-MANAGEMENT-SERVICE.module.client-roles.keycloak_role.ROLES["view-client-phlat-web"] will be created + resource "keycloak_role" "ROLES" { + client_id = "bd2e86ec-254f-4ddf-82f3-6e31e70b5bd8" + id = (known after apply) + name = "view-client-phlat-web" + realm_id = "moh_applications" } Plan: 16 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. ```

Pushed by: @filipflorek, Action: pull_request

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Show Plan

``` + full_scope_allowed = false + id = (known after apply) + implicit_flow_enabled = false + name = "PHLAT" + oauth2_device_authorization_grant_enabled = false + pkce_code_challenge_method = "S256" + realm_id = "moh_applications" + resource_server_id = (known after apply) + service_account_user_id = (known after apply) + service_accounts_enabled = false + standard_flow_enabled = true + use_refresh_tokens = true + use_refresh_tokens_client_credentials = false + valid_redirect_uris = [ + "https://phlat.hlth.gov.bc.ca/*", ] + web_origins = [ + "+", ] } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-WEB.keycloak_openid_user_client_role_protocol_mapper.Client-Role-Mapper-PHLAT will be created + resource "keycloak_openid_user_client_role_protocol_mapper" "Client-Role-Mapper-PHLAT" { + add_to_access_token = true + add_to_id_token = true + add_to_userinfo = true + claim_name = "roles" + claim_value_type = "String" + client_id = (known after apply) + client_id_for_role_mappings = "PHLAT-WEB" + id = (known after apply) + multivalued = true + name = "PHLAT Role Mapper" + realm_id = "moh_applications" } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-SERVICE.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PLR/REG_ADMIN"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = (known after apply) + id = (known after apply) + realm_id = "moh_applications" + role_id = "bdc57be4-258c-4b28-b86d-f4b66e8ea8fb" } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-SERVICE.module.service-account-roles.keycloak_openid_client_service_account_realm_role.ROLE["default-roles-moh_applications"] will be created + resource "keycloak_openid_client_service_account_realm_role" "ROLE" { + id = (known after apply) + realm_id = "moh_applications" + role = "default-roles-moh_applications" + service_account_user_id = (known after apply) } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-SERVICE.module.service-account-roles.keycloak_openid_client_service_account_role.ROLE["PLR/REG_ADMIN"] will be created + resource "keycloak_openid_client_service_account_role" "ROLE" { + client_id = "cecd3d4b-f68e-4c4a-a9c4-5a2db9aef8ee" + id = (known after apply) + realm_id = "moh_applications" + role = "REG_ADMIN" + service_account_user_id = (known after apply) } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-WEB.module.client-roles.keycloak_role.ROLES["REG_ADMIN"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_ADMIN" + realm_id = "moh_applications" } # module.KEYCLOAK_PROD.module.moh_applications.module.PHLAT-WEB.module.client-roles.keycloak_role.ROLES["REG_USER"] will be created + resource "keycloak_role" "ROLES" { + client_id = (known after apply) + id = (known after apply) + name = "REG_USER" + realm_id = "moh_applications" } # module.KEYCLOAK_PROD.module.moh_applications.module.USER-MANAGEMENT.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["USER-MANAGEMENT-SERVICE/view-client-phlat-web"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "64028a9d-1033-438f-8db8-681dc0a97e51" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_PROD.module.moh_applications.module.USER-MANAGEMENT-SERVICE.module.client-roles.keycloak_role.ROLES["view-client-phlat-web"] will be created + resource "keycloak_role" "ROLES" { + client_id = "bd2e86ec-254f-4ddf-82f3-6e31e70b5bd8" + id = (known after apply) + name = "view-client-phlat-web" + realm_id = "moh_applications" } Plan: 16 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. ```

Pushed by: @filipflorek, Action: pull_request

bcgov / moh-keycloak-client-configurations