add prp roles and configure idp restriction module

filipflorek commented 1 month ago

Changes being made

Add 3 new PRP roles on TEST. Configure idp-restriction-module on Keycloak TEST environment. Replacing hardcoded browser-flow id with a variable.

Quality Check

[ ] Terraform plan contains only my changes, or other developers are aware that their manual changes can be overridden.

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`failure`

Terraform formatting errors

``` keycloak-dev/realms/moh_applications/clients.tf --- old/keycloak-dev/realms/moh_applications/clients.tf +++ new/keycloak-dev/realms/moh_applications/clients.tf @@ -160,8 +160,8 @@ ORGANIZATIONS-API = module.ORGANIZATIONS-API } module "USER-MANAGEMENT" { - source = "./clients/user-management" - USER-MANAGEMENT-SERVICE = module.USER-MANAGEMENT-SERVICE + source = "./clients/user-management" + USER-MANAGEMENT-SERVICE = module.USER-MANAGEMENT-SERVICE browser_idp_restriction_flow = local.browser_idp_restriction_flow } module "HCIM_BCMI" { ```
To resolve the issues:
Terraform format instructions

Pushed by: @filipflorek, Action: pull_request

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`failure`

Terraform formatting errors

``` keycloak-test/realms/moh_applications/clients.tf --- old/keycloak-test/realms/moh_applications/clients.tf +++ new/keycloak-test/realms/moh_applications/clients.tf @@ -478,8 +478,8 @@ MSPDIRECT-SERVICE = module.MSPDIRECT-SERVICE } module "USER-MANAGEMENT" { - source = "./clients/user-management" - USER-MANAGEMENT-SERVICE = module.USER-MANAGEMENT-SERVICE + source = "./clients/user-management" + USER-MANAGEMENT-SERVICE = module.USER-MANAGEMENT-SERVICE browser_idp_restriction_flow = local.browser_idp_restriction_flow } module "WEBCAPS" { ```
To resolve the issues:
Terraform format instructions

Pushed by: @filipflorek, Action: pull_request

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Show Plan

``` + valid_redirect_uris = [] + web_origins = [] # (23 unchanged attributes hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT.keycloak_openid_client.CLIENT will be updated in-place ~ resource "keycloak_openid_client" "CLIENT" { id = "cc4d80a5-4a1c-4d80-a2c3-59d3ebde880d" + login_theme = "moh-app-realm-idp-restriction" name = "MoH User Management" # (25 unchanged attributes hidden) + authentication_flow_binding_overrides { + browser_id = "9e34841a-ef45-47d7-a08a-cb65bc9130e0" } } # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT.keycloak_openid_client_default_scopes.client_default_scopes will be created + resource "keycloak_openid_client_default_scopes" "client_default_scopes" { + client_id = "cc4d80a5-4a1c-4d80-a2c3-59d3ebde880d" + default_scopes = [ + "email", + "idir_aad", + "profile", + "roles", + "web-origins", ] + id = (known after apply) + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-SERVICE.module.client-roles.keycloak_role.ROLES["PRP_LTC"] will be created + resource "keycloak_role" "ROLES" { + client_id = "6769c9f4-480d-49f6-acd5-2bcf95554d19" + id = (known after apply) + name = "PRP_LTC" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-SERVICE.module.client-roles.keycloak_role.ROLES["PRP_ReportProgram_LTC"] will be created + resource "keycloak_role" "ROLES" { + client_id = "6769c9f4-480d-49f6-acd5-2bcf95554d19" + id = (known after apply) + name = "PRP_ReportProgram_LTC" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-SERVICE.module.client-roles.keycloak_role.ROLES["PRP_ReportSection_LTC"] will be created + resource "keycloak_role" "ROLES" { + client_id = "6769c9f4-480d-49f6-acd5-2bcf95554d19" + id = (known after apply) + name = "PRP_ReportSection_LTC" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-WEB.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PRP-SERVICE/PRP_LTC"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "dc91ec52-7b17-40bd-94a9-9831f1481c9e" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-WEB.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PRP-SERVICE/PRP_ReportProgram_LTC"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "dc91ec52-7b17-40bd-94a9-9831f1481c9e" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-WEB.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PRP-SERVICE/PRP_ReportSection_LTC"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "dc91ec52-7b17-40bd-94a9-9831f1481c9e" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } Plan: 7 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. ```

Pushed by: @filipflorek, Action: pull_request

github-actions[bot] commented 1 month ago

Terraform Format and Style 🖌`success`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`

Show Plan

``` module.KEYCLOAK_DEV.module.moh_applications.module.CGI-AM-TEAM.keycloak_group_roles.GROUP_ROLES: Refreshing state... [id=moh_applications/053fa749-b569-4258-bc9e-bc8ca0541dfe] module.KEYCLOAK_TEST.module.moh_applications.module.CGI-QA.keycloak_group_roles.GROUP_ROLES: Refreshing state... [id=moh_applications/658f081c-a8b0-4c1b-b9ee-7e8901158ce7] module.KEYCLOAK_PROD.module.moh_applications.module.CGI-AM-TEAM.keycloak_group_roles.GROUP_ROLES: Refreshing state... [id=moh_applications/270966e6-985c-4d55-a35c-53e32ab4cf46] module.KEYCLOAK_TEST.module.moh_applications.module.CGI-AM-TEAM.keycloak_group_roles.GROUP_ROLES: Refreshing state... [id=moh_applications/eb2dce73-6fe7-4b63-8b7a-c5995a530714] module.KEYCLOAK_TEST.module.moh_applications.module.CGI-DEVELOPER.keycloak_group_roles.GROUP_ROLES: Refreshing state... [id=moh_applications/ba2aead8-cd2d-4519-991b-3bd44c71c057] module.KEYCLOAK_TEST.module.moh_applications.module.DMFT-SERVICE.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PIDP-SERVICE/view_endorsement_data"]: Refreshing state... [id=moh_applications/client/5ab8cf72-d7cc-44dd-b108-89a5a7bced3c/scope-mappings/55c07ad0-ac04-4eed-b98a-85aa8551163f/445a4140-5403-464b-942e-d701738db30c] module.KEYCLOAK_TEST.module.moh_applications.module.DMFT-SERVICE.module.service-account-roles.keycloak_openid_client_service_account_role.ROLE["PIDP-SERVICE/view_endorsement_data"]: Refreshing state... [id=c7d414f8-75ae-4cf2-a8dd-18f1c9b6d66b/445a4140-5403-464b-942e-d701738db30c] module.KEYCLOAK_TEST.module.moh_applications.module.PIDP-WEBAPP.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PIDP-SERVICE/feature_pidp_demo"]: Refreshing state... [id=moh_applications/client/1065e2c3-8280-4bce-a170-e7fe044b285e/scope-mappings/55c07ad0-ac04-4eed-b98a-85aa8551163f/458dd0fd-a742-4df1-b3ef-56ac85d7d8a9] module.KEYCLOAK_TEST.module.moh_applications.module.PIDP-WEBAPP.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["account/view-profile"]: Refreshing state... [id=moh_applications/client/1065e2c3-8280-4bce-a170-e7fe044b285e/scope-mappings/f7e7a2f0-6e8c-4037-ae60-439017c25321/cada8e04-363d-4213-a77f-2991c3fa50a3] module.KEYCLOAK_TEST.module.moh_applications.module.PIDP-WEBAPP.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PIDP-SERVICE/ADMIN"]: Refreshing state... [id=moh_applications/client/1065e2c3-8280-4bce-a170-e7fe044b285e/scope-mappings/55c07ad0-ac04-4eed-b98a-85aa8551163f/c043fe54-6899-4e2e-94b6-a85c0051b7ab] module.KEYCLOAK_TEST.module.moh_applications.module.PIDP-WEBAPP.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PIDP-SERVICE/USER"]: Refreshing state... [id=moh_applications/client/1065e2c3-8280-4bce-a170-e7fe044b285e/scope-mappings/55c07ad0-ac04-4eed-b98a-85aa8551163f/1814fe67-a84e-4ca7-9bcc-656b02c64c98] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT.keycloak_openid_client.CLIENT will be updated in-place ~ resource "keycloak_openid_client" "CLIENT" { id = "cc4d80a5-4a1c-4d80-a2c3-59d3ebde880d" + login_theme = "moh-app-realm-idp-restriction" name = "MoH User Management" # (25 unchanged attributes hidden) + authentication_flow_binding_overrides { + browser_id = "9e34841a-ef45-47d7-a08a-cb65bc9130e0" } } # module.KEYCLOAK_TEST.module.moh_applications.module.USER-MANAGEMENT.keycloak_openid_client_default_scopes.client_default_scopes will be created + resource "keycloak_openid_client_default_scopes" "client_default_scopes" { + client_id = "cc4d80a5-4a1c-4d80-a2c3-59d3ebde880d" + default_scopes = [ + "email", + "idir_aad", + "profile", + "roles", + "web-origins", ] + id = (known after apply) + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-SERVICE.module.client-roles.keycloak_role.ROLES["PRP_LTC"] will be created + resource "keycloak_role" "ROLES" { + client_id = "6769c9f4-480d-49f6-acd5-2bcf95554d19" + id = (known after apply) + name = "PRP_LTC" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-SERVICE.module.client-roles.keycloak_role.ROLES["PRP_ReportProgram_LTC"] will be created + resource "keycloak_role" "ROLES" { + client_id = "6769c9f4-480d-49f6-acd5-2bcf95554d19" + id = (known after apply) + name = "PRP_ReportProgram_LTC" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-SERVICE.module.client-roles.keycloak_role.ROLES["PRP_ReportSection_LTC"] will be created + resource "keycloak_role" "ROLES" { + client_id = "6769c9f4-480d-49f6-acd5-2bcf95554d19" + id = (known after apply) + name = "PRP_ReportSection_LTC" + realm_id = "moh_applications" } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-WEB.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PRP-SERVICE/PRP_LTC"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "dc91ec52-7b17-40bd-94a9-9831f1481c9e" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-WEB.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PRP-SERVICE/PRP_ReportProgram_LTC"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "dc91ec52-7b17-40bd-94a9-9831f1481c9e" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } # module.KEYCLOAK_TEST.module.moh_applications.module.PRP-WEB.module.scope-mappings.keycloak_generic_client_role_mapper.SCOPE-MAPPING["PRP-SERVICE/PRP_ReportSection_LTC"] will be created + resource "keycloak_generic_client_role_mapper" "SCOPE-MAPPING" { + client_id = "dc91ec52-7b17-40bd-94a9-9831f1481c9e" + id = (known after apply) + realm_id = "moh_applications" + role_id = (known after apply) } Plan: 7 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. ```

Pushed by: @filipflorek, Action: pull_request

bcgov / moh-keycloak-client-configurations