search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
612 stars 300 forks source link

Exported attributes of keycloak_client_description_converter #827

Open svencan opened 1 year ago

svencan commented 1 year ago

Hello! I'm very happy I found this provider for terraform.

However I'm having issues trying to create clients based on SAML metadata which is present in XML format. The documentation for keycloak_client_description_converter states "The exported attributes for this data source are a combination of the attributes for the keycloak_openid_client and keycloak_saml_client resources."

Thinking this would be easy, I tried:

data "keycloak_client_description_converter" "admin_client" {
    realm_id = keycloak_realm.engine.id
    body     = data.aws_s3_object.admin_metadata.body
}

resource "keycloak_saml_client" "admin_client" {
    realm_id = keycloak_realm.engine.id
    client_id = data.keycloak_client_description_converter.admin_client.client_id

    name = "admin-webapp for engine-build"
    sign_assertions = true
    encrypt_assertions = true
    name_id_format = "username"
    valid_redirect_uris = data.keycloak_client_description_converter.admin_client.redirect_uris
    signature_algorithm = "RSA_SHA256"

    encryption_certificate = data.keycloak_client_description_converter.admin_client.encryption_certificate
    signing_certificate = data.keycloak_client_description_converter.admin_client.signing_certificate
}

But terraform gives me the following:

9:28:40  Error: Unsupported attribute
09:28:40  
09:28:40    on clients.tf line 24, in resource "keycloak_saml_client" "admin_client":
09:28:40    24:     encryption_certificate = data.keycloak_client_description_converter.admin_client.encryption_certificate
09:28:40  
09:28:40  This object has no argument, nested block, or exported attribute named
09:28:40  "encryption_certificate".

Is this a missing feature, or is there any other way to quickly create SAML clients based on XML metadata?

Thanks, Sven

svencan commented 1 year ago

I was able to get this working, and want to document my findings just in case someone else will find it helpful it the future.

Basically, I imported an XML metadata file via the browser and had a look in the network inspector. The following structure is sent to the server:

alwaysDisplayInConsole
attributes
    saml.assertion.signature
    saml.authnstatement
    saml.client.signature
    saml.encrypt
    saml.encryption.certificate
    saml.server.signature
    saml.server.signature.keyinfo.ext
    saml.signature.algorithm
    saml.signing.certificate
    saml_artifact_binding_url
    saml_assertion_consumer_url_post
    saml_name_id_format
    saml_single_logout_service_url_post
    saml_single_logout_service_url_redirect
clientId
description
fullScopeAllowed
name
protocol
protocolMappers
redirectUris

I assumed that this structure is also the JSON output of the converter endpoint, so I access the arbitrary attributes like this in my terraform file:

data "keycloak_client_description_converter" "admin_client" {
    realm_id = data.keycloak_realm.engine.id
    body     = data.aws_s3_object.admin_metadata.body
}

resource "keycloak_saml_client" "admin_client" {
    realm_id = data.keycloak_realm.engine.id
    client_id = data.keycloak_client_description_converter.admin_client.client_id

    name = "admin-webapp for engine-engine-build"
    sign_assertions = true
    encrypt_assertions = true
    name_id_format = "username"
    valid_redirect_uris = data.keycloak_client_description_converter.admin_client.redirect_uris
    signature_algorithm = "RSA_SHA256"

    encryption_certificate = data.keycloak_client_description_converter.admin_client.attributes["saml.encryption.certificate"]
    signing_certificate = data.keycloak_client_description_converter.admin_client.attributes["saml.signing.certificate"]
    assertion_consumer_post_url = data.keycloak_client_description_converter.admin_client.attributes["saml_assertion_consumer_url_post"]
    logout_service_post_binding_url = data.keycloak_client_description_converter.admin_client.attributes["saml_single_logout_service_url_post"]
    logout_service_redirect_binding_url = data.keycloak_client_description_converter.admin_client.attributes["saml_single_logout_service_url_redirect"]
}

This creates the SAML client just how I need it.

I'll leave this open if the author wants to document this somewhere or make it easier to create clients from XML metadata.