Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

allow for mapping roles to users and service accounts #152

Closed
mrparkers opened this issue Sep 5, 2019 · 8 comments
Closed

allow for mapping roles to users and service accounts #152

mrparkers opened this issue Sep 5, 2019 · 8 comments
Labels
new resource This feature request requires the creation of a new Terraform resource

Comments

@mrparkers
Copy link
Contributor

Discussion started in #143.

For mapping roles to a service account, it makes sense to make to have a data source to get the ID of that service account, and use a resource like keycloak_user_roles to map roles to it. It might look something like this:

resource "keycloak_openid_client" "client" {
  realm_id  = "${keycloak_realm.realm.id}"
  client_id = "client"
  name      = "client"

  enabled = true

  access_type   = "CONFIDENTIAL"
  client_secret = "secret"
  
  service_accounts_enabled = true
}

data "keycloak_service_account_user" "client_service_account" {
  client_id = "${keycloak_openid_client.client.id}"
}

resource "keycloak_role" "role" {
  realm_id = "${keycloak_realm.realm.id}"
  name     = "my-role"
}

resource "keycloak_user_roles" "client_service_account_roles" {
  realm_id = "${keycloak_realm.realm.id}"
  user_id  = "${data.keycloak_service_account_user.client_service_account.id}"

  roles = [
    "${keycloak_role.role.id}"
  ]
}

thoughts? cc @rlewan @camelpunch
@mrparkers mrparkers added the new resource This feature request requires the creation of a new Terraform resource label Sep 5, 2019
@mrparkers mrparkers mentioned this issue Sep 5, 2019
Merged
6 tasks
@rlewan
Copy link

rlewan commented Sep 5, 2019

Totally makes sense, I like the simplicity 👍

@camelpunch
Copy link
Contributor

LGTM!

@dimsedane
Copy link

I am looking into this a little as my first try with go and Terraform development since we need it for at project.

While my need is also for a service account, would it be better for the datasource to be for a generic keycloak user, not just a service account? You could still get the service account user from the naming convention, but it would be possible to apply it broader.

@mrparkers
Copy link
Contributor Author

Hi @dimsedane, thanks for wanting to contribute! Feel free to post any questions you may have here along the way, I'll be happy to help.

I had initially considered a more generic keycloak_user data source as well, but my concern with using that for service accounts is that we would be relying on that naming convention which isn't guaranteed to remain consistent. I think ultimately there will be a generic keycloak_user data source regardless, and I suppose there would be nothing stopping people from using it that way, but I would probably still add a keycloak_service_account_user data source just for the extra safety.

@becjon becjon mentioned this issue Feb 13, 2020
Closed
@lathspell lathspell mentioned this issue Feb 21, 2020
Closed
@totobest
Copy link

totobest commented Mar 6, 2020

Thank for the idea @mrparkers.

Would it better for the resource "keycloak_openid_client" to output an attribute service_account_user_id if service_accounts_enabled is set to true?

@languitar
Copy link
Contributor

Any chance to get this going? We would need this.

@mrparkers
Copy link
Contributor Author

Looks like this is being worked on in #247

@languitar
Copy link
Contributor

As the #247 is closed now and #315 is merged, is this resolved now?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
new resource This feature request requires the creation of a new Terraform resource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@camelpunch @dimsedane @rlewan @languitar @mrparkers @totobest