search

keycloak / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
Apache License 2.0
648 stars 317 forks source link

How to configure Service account roles #883

Closed thesse1 closed 1 year ago

thesse1 commented 1 year ago

For a Keycloak OpenID Connect application, is it possible to configure the service account roles using this provider?

image

I have not found a way to do this. I tried the following:

resource "keycloak_openid_client" "apigateway" {
  realm_id                 = data.keycloak_realm.default.id
  client_id                = "apigateway"
  client_secret            = "manage"

  name                     = "API Gateway"
  enabled                  = true

  access_type              = "CONFIDENTIAL"
  service_accounts_enabled = true
}

data "keycloak_openid_client" "realm_management" {
  realm_id  = data.keycloak_realm.default.id
  client_id = "realm-management"
}

data "keycloak_role" "create_client" {
  realm_id  = data.keycloak_realm.default.id
  client_id = data.keycloak_openid_client.realm_management.id
  name      = "create-client"
}

data "keycloak_role" "query_clients" {
  realm_id  = data.keycloak_realm.default.id
  client_id = data.keycloak_openid_client.realm_management.id
  name      = "query-clients"
}

data "keycloak_role" "manage_clients" {
  realm_id  = data.keycloak_realm.default.id
  client_id = data.keycloak_openid_client.realm_management.id
  name      = "manage-clients"
}

data "keycloak_role" "view_clients" {
  realm_id  = data.keycloak_realm.default.id
  client_id = data.keycloak_openid_client.realm_management.id
  name      = "view-clients"
}

resource "keycloak_generic_role_mapper" "apigateway_create_client" {
  realm_id  = data.keycloak_realm.default.id
  client_id = keycloak_openid_client.apigateway.id
  role_id   = data.keycloak_role.create_client.id
}

resource "keycloak_generic_role_mapper" "apigateway_query_clients" {
  realm_id  = data.keycloak_realm.default.id
  client_id = keycloak_openid_client.apigateway.id
  role_id   = data.keycloak_role.query_clients.id
}

resource "keycloak_generic_role_mapper" "apigateway_manage_clients" {
  realm_id  = data.keycloak_realm.default.id
  client_id = keycloak_openid_client.apigateway.id
  role_id   = data.keycloak_role.manage_clients.id
}

resource "keycloak_generic_role_mapper" "apigateway_view_clients" {
  realm_id  = data.keycloak_realm.default.id
  client_id = keycloak_openid_client.apigateway.id
  role_id   = data.keycloak_role.view_clients.id
}

But that was not successful. (Probably nonsense?)

Thanks a lot!

Best regards, Thomas

Redestros commented 1 year ago

To configure service account roles, you can use these resources:

you can find more info in the doc

thesse1 commented 1 year ago

Hi @Redestros, thanks a lot for your quick response. This is working fine now. Don't know why I overlooked this resource in the documentation. Maybe you could also have a look at https://github.com/mrparkers/terraform-provider-keycloak/issues/882. This is the only open point for me right now. Thanks!

Best regards, Thomas

Redestros commented 1 year ago

@mrparkers can you close this issue please ?

mrparkers commented 1 year ago

Of course, glad you were able to get this resolved 😄