Dateien nach "keycloak-tf-projekt/modules/clients" hochladen
This commit is contained in:
@@ -1,49 +1,25 @@
|
||||
resource "keycloak_user" "newUser" {
|
||||
for_each = var.usernames
|
||||
|
||||
realm_id = var.realm_id
|
||||
username = each.key
|
||||
email = each.value.email
|
||||
first_name = each.value.first_name
|
||||
enabled = true
|
||||
|
||||
initial_password {
|
||||
value = random_password.initial_password[each.key].result
|
||||
temporary = true
|
||||
}
|
||||
|
||||
required_actions = [
|
||||
"UPDATE_PASSWORD"
|
||||
]
|
||||
}
|
||||
|
||||
resource "random_password" "initial_password" {
|
||||
for_each = var.usernames
|
||||
|
||||
length = 16 # 16 Zeichen sind ein guter Standard
|
||||
# special = true # Sonderzeichen erlauben
|
||||
# override_special = "!@#%&*" # Welche Sonderzeichen verwendet werden dürfen
|
||||
upper = true # Großbuchstaben
|
||||
lower = true # Kleinbuchstaben
|
||||
numeric = true # Zahlen
|
||||
}
|
||||
|
||||
resource "keycloak_role" "client_role" {
|
||||
resource "keycloak_openid_client" "web_app_client" {
|
||||
realm_id = var.realm_id
|
||||
client_id = var.target_client_id
|
||||
name = "my-client-role"
|
||||
description = "My Client Role"
|
||||
}
|
||||
client_id = "my-web-app-client"
|
||||
name = "My Secure Web Application"
|
||||
access_type = "CONFIDENTIAL" # Benötigt ein Client Secret
|
||||
|
||||
resource "keycloak_user_roles" "assigned_client_role" {
|
||||
for_each = var.usernames # <-- Iteriert über alle 15 Benutzer
|
||||
|
||||
realm_id = var.realm_id
|
||||
|
||||
# Holt die ID der Benutzerinstanz, die der Client-Schlüssel ist
|
||||
user_id = keycloak_user.newUser[each.key].id
|
||||
role_ids = [
|
||||
keycloak_role.client_role.id,
|
||||
// Callback URLs, wohin Keycloak den Benutzer nach dem Login umleiten darf
|
||||
valid_redirect_uris = [
|
||||
"http://localhost:8081/*"
|
||||
]
|
||||
|
||||
// Standard-Aktionen, die der Client ausführen darf
|
||||
standard_flow_enabled = true
|
||||
|
||||
// Deaktiviert das direkte Zugriffstoken-Erteilung
|
||||
implicit_flow_enabled = false
|
||||
service_accounts_enabled = false
|
||||
}
|
||||
|
||||
resource "keycloak_openid_client" "einfachter_test" {
|
||||
realm_id = var.realm_id
|
||||
client_id = "einfachter_test"
|
||||
access_type = "CONFIDENTIAL" # Benötigt ein Client Secret
|
||||
}
|
||||
@@ -1,8 +1,42 @@
|
||||
# output "all_generated_passwords" {
|
||||
# description = "Map der generierten Passwörter (Username -> Password)."
|
||||
output "web_app_client_secret" {
|
||||
description = "Das Secret des Web-App Clients."
|
||||
value = keycloak_openid_client.web_app_client.client_secret
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# value = {
|
||||
# for username, password in random_password.initial_password : username => password.result
|
||||
# }
|
||||
output "web_app_client_id" {
|
||||
description = "Die Client ID der Web-App."
|
||||
value = keycloak_openid_client.web_app_client.client_id
|
||||
}
|
||||
|
||||
# }
|
||||
locals {
|
||||
# Diese Liste enthält alle Ihre Keycloak-Client-Ressourcen-Objekte
|
||||
all_clients = [
|
||||
keycloak_openid_client.web_app_client,
|
||||
keycloak_openid_client.einfachter_test,
|
||||
// Fügen Sie hier jeden neuen Client hinzu, den Sie im Modul definieren
|
||||
]
|
||||
}
|
||||
|
||||
// 🔑 Map-Output: Generiert eine Map, wobei der Schlüssel die Client ID ist
|
||||
output "all_client_secrets_map" {
|
||||
description = "Eine Map mit Client ID als Schlüssel und dem Client Secret als Wert."
|
||||
|
||||
// Die for-Expression iteriert über die Liste und erstellt die Map:
|
||||
value = {
|
||||
for client in local.all_clients : client.client_id => client.client_secret
|
||||
}
|
||||
|
||||
sensitive = true # Wichtig: Die gesamte Map wird als sensibel markiert
|
||||
}
|
||||
|
||||
output "all_client_ids_map" {
|
||||
description = "Eine Map mit Client ID (Client ID String) als Schlüssel und der internen ID (UUID) als Wert."
|
||||
|
||||
// 🔑 for Expression:
|
||||
// Key: Der von Ihnen definierte Client-String (z.B. "my-web-app-client")
|
||||
// Value: Die interne, von Keycloak generierte ID (UUID)
|
||||
value = {
|
||||
for client in local.all_clients : client.client_id => client.id
|
||||
}
|
||||
}
|
||||
@@ -1,23 +1,4 @@
|
||||
variable "realm_id" {
|
||||
description = "Die interne ID des Realms, in dem der Benutzer erstellt werden soll."
|
||||
description = "Die interne ID des Realms, in dem die Clients erstellt werden sollen."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "usernames" {
|
||||
description = "Der Benutzername des neuen Keycloak-Benutzers."
|
||||
type = map(object({
|
||||
email = string
|
||||
first_name = string
|
||||
}))
|
||||
}
|
||||
|
||||
variable "target_client_id" {
|
||||
description = "Die interne ID des Clients, für den Rollen zugewiesen werden sollen."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "role_to_assign" {
|
||||
description = "Der Name der Rolle (z.B. 'user' oder 'admin'), die zugewiesen werden soll."
|
||||
type = string
|
||||
default = "user" // Standardrolle 'user'
|
||||
}
|
||||
@@ -1,4 +1,4 @@
|
||||
terraform {
|
||||
terraform {
|
||||
required_providers {
|
||||
// Definiert den Keycloak Provider
|
||||
keycloak = {
|
||||
|
||||
Reference in New Issue
Block a user