Dateien nach "keycloak-tf-projekt/modules/clients" hochladen
This commit is contained in:
@@ -1,49 +1,25 @@
|
|||||||
resource "keycloak_user" "newUser" {
|
resource "keycloak_openid_client" "web_app_client" {
|
||||||
for_each = var.usernames
|
|
||||||
|
|
||||||
realm_id = var.realm_id
|
|
||||||
username = each.key
|
|
||||||
email = each.value.email
|
|
||||||
first_name = each.value.first_name
|
|
||||||
enabled = true
|
|
||||||
|
|
||||||
initial_password {
|
|
||||||
value = random_password.initial_password[each.key].result
|
|
||||||
temporary = true
|
|
||||||
}
|
|
||||||
|
|
||||||
required_actions = [
|
|
||||||
"UPDATE_PASSWORD"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "random_password" "initial_password" {
|
|
||||||
for_each = var.usernames
|
|
||||||
|
|
||||||
length = 16 # 16 Zeichen sind ein guter Standard
|
|
||||||
# special = true # Sonderzeichen erlauben
|
|
||||||
# override_special = "!@#%&*" # Welche Sonderzeichen verwendet werden dürfen
|
|
||||||
upper = true # Großbuchstaben
|
|
||||||
lower = true # Kleinbuchstaben
|
|
||||||
numeric = true # Zahlen
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "keycloak_role" "client_role" {
|
|
||||||
realm_id = var.realm_id
|
realm_id = var.realm_id
|
||||||
client_id = var.target_client_id
|
client_id = "my-web-app-client"
|
||||||
name = "my-client-role"
|
name = "My Secure Web Application"
|
||||||
description = "My Client Role"
|
access_type = "CONFIDENTIAL" # Benötigt ein Client Secret
|
||||||
}
|
|
||||||
|
|
||||||
resource "keycloak_user_roles" "assigned_client_role" {
|
|
||||||
for_each = var.usernames # <-- Iteriert über alle 15 Benutzer
|
|
||||||
|
|
||||||
realm_id = var.realm_id
|
// Callback URLs, wohin Keycloak den Benutzer nach dem Login umleiten darf
|
||||||
|
valid_redirect_uris = [
|
||||||
# Holt die ID der Benutzerinstanz, die der Client-Schlüssel ist
|
"http://localhost:8081/*"
|
||||||
user_id = keycloak_user.newUser[each.key].id
|
|
||||||
role_ids = [
|
|
||||||
keycloak_role.client_role.id,
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
// Standard-Aktionen, die der Client ausführen darf
|
||||||
|
standard_flow_enabled = true
|
||||||
|
|
||||||
|
// Deaktiviert das direkte Zugriffstoken-Erteilung
|
||||||
|
implicit_flow_enabled = false
|
||||||
|
service_accounts_enabled = false
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "keycloak_openid_client" "einfachter_test" {
|
||||||
|
realm_id = var.realm_id
|
||||||
|
client_id = "einfachter_test"
|
||||||
|
access_type = "CONFIDENTIAL" # Benötigt ein Client Secret
|
||||||
}
|
}
|
||||||
@@ -1,8 +1,42 @@
|
|||||||
# output "all_generated_passwords" {
|
output "web_app_client_secret" {
|
||||||
# description = "Map der generierten Passwörter (Username -> Password)."
|
description = "Das Secret des Web-App Clients."
|
||||||
|
value = keycloak_openid_client.web_app_client.client_secret
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
# value = {
|
output "web_app_client_id" {
|
||||||
# for username, password in random_password.initial_password : username => password.result
|
description = "Die Client ID der Web-App."
|
||||||
# }
|
value = keycloak_openid_client.web_app_client.client_id
|
||||||
|
}
|
||||||
|
|
||||||
# }
|
locals {
|
||||||
|
# Diese Liste enthält alle Ihre Keycloak-Client-Ressourcen-Objekte
|
||||||
|
all_clients = [
|
||||||
|
keycloak_openid_client.web_app_client,
|
||||||
|
keycloak_openid_client.einfachter_test,
|
||||||
|
// Fügen Sie hier jeden neuen Client hinzu, den Sie im Modul definieren
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
// 🔑 Map-Output: Generiert eine Map, wobei der Schlüssel die Client ID ist
|
||||||
|
output "all_client_secrets_map" {
|
||||||
|
description = "Eine Map mit Client ID als Schlüssel und dem Client Secret als Wert."
|
||||||
|
|
||||||
|
// Die for-Expression iteriert über die Liste und erstellt die Map:
|
||||||
|
value = {
|
||||||
|
for client in local.all_clients : client.client_id => client.client_secret
|
||||||
|
}
|
||||||
|
|
||||||
|
sensitive = true # Wichtig: Die gesamte Map wird als sensibel markiert
|
||||||
|
}
|
||||||
|
|
||||||
|
output "all_client_ids_map" {
|
||||||
|
description = "Eine Map mit Client ID (Client ID String) als Schlüssel und der internen ID (UUID) als Wert."
|
||||||
|
|
||||||
|
// 🔑 for Expression:
|
||||||
|
// Key: Der von Ihnen definierte Client-String (z.B. "my-web-app-client")
|
||||||
|
// Value: Die interne, von Keycloak generierte ID (UUID)
|
||||||
|
value = {
|
||||||
|
for client in local.all_clients : client.client_id => client.id
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -1,23 +1,4 @@
|
|||||||
variable "realm_id" {
|
variable "realm_id" {
|
||||||
description = "Die interne ID des Realms, in dem der Benutzer erstellt werden soll."
|
description = "Die interne ID des Realms, in dem die Clients erstellt werden sollen."
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "usernames" {
|
|
||||||
description = "Der Benutzername des neuen Keycloak-Benutzers."
|
|
||||||
type = map(object({
|
|
||||||
email = string
|
|
||||||
first_name = string
|
|
||||||
}))
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "target_client_id" {
|
|
||||||
description = "Die interne ID des Clients, für den Rollen zugewiesen werden sollen."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "role_to_assign" {
|
|
||||||
description = "Der Name der Rolle (z.B. 'user' oder 'admin'), die zugewiesen werden soll."
|
|
||||||
type = string
|
|
||||||
default = "user" // Standardrolle 'user'
|
|
||||||
}
|
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
terraform {
|
terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
// Definiert den Keycloak Provider
|
// Definiert den Keycloak Provider
|
||||||
keycloak = {
|
keycloak = {
|
||||||
|
|||||||
Reference in New Issue
Block a user