From 6576c2f15fc98f9432b0a0ce6b4f23a8528f30d9 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Tue, 20 Sep 2022 12:19:54 +0300
Subject: feat(ops/keycloak): import github identity provider configuration

For some reason Terraform decided that it would otherwise like
to *delete* this configuration, which is undesirable.

Note that there is a "magic" special behaviour when the `alias` and
`provider_id` are set to the name of a built-in supported
provider (github, gitlab etc.), which lets us skip the
authorization_url setup.

Change-Id: Ib66154c2896dda162c57bdc2d7964a9fa4e15f20
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6706
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
---
 ops/keycloak/main.tf         |   2 +-
 ops/keycloak/user_sources.tf |  23 +++++++++++++++++++++++
 ops/secrets/tf-keycloak.age  | Bin 981 -> 1001 bytes
 3 files changed, 24 insertions(+), 1 deletion(-)

(limited to 'ops')

diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index a8e2d82a3c..c18f4a1789 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -1,6 +1,6 @@
 # Configure TVL Keycloak instance.
 #
-# TODO(tazjin): Configure GitHub/GitLab IDP
+# TODO(tazjin): Configure GitLab IDP
 
 terraform {
   required_providers {
diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf
index 3fde6e07cc..01307fff8d 100644
--- a/ops/keycloak/user_sources.tf
+++ b/ops/keycloak/user_sources.tf
@@ -2,6 +2,10 @@
 # information (either by accessing a system like LDAP or integration
 # through protocols like OIDC).
 
+variable "github_client_secret" {
+  type = string
+}
+
 resource "keycloak_ldap_user_federation" "tvl_ldap" {
   name                    = "tvl-ldap"
   realm_id                = keycloak_realm.tvl.id
@@ -19,3 +23,22 @@ resource "keycloak_ldap_user_federation" "tvl_ldap" {
     "organizationalPerson",
   ]
 }
+
+# keycloak_oidc_identity_provider.github will be destroyed
+# (because keycloak_oidc_identity_provider.github is not in configuration)
+resource "keycloak_oidc_identity_provider" "github" {
+  alias                 = "github"
+  provider_id           = "github"
+  client_id             = "6d7f8bb2e82bb6739556"
+  client_secret         = var.github_client_secret
+  realm                 = keycloak_realm.tvl.id
+  backchannel_supported = false
+  gui_order             = "1"
+  store_token           = false
+  sync_mode             = "IMPORT"
+  trust_email           = true
+
+  # These default to built-in values for the `github` provider_id.
+  authorization_url = ""
+  token_url         = ""
+}
diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age
index b450e84fb0..c916dcd2a3 100644
Binary files a/ops/secrets/tf-keycloak.age and b/ops/secrets/tf-keycloak.age differ
-- 
cgit 1.4.1