#SPDX-License-Identifier: MIT-0 --- # Keycloak provisioning tasks # Create realm (if not master) - name: Create Keycloak realm community.general.keycloak_realm: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" display_name: "{{ keycloak_realm_display_name }}" enabled: true state: present validate_certs: false no_log: true when: keycloak_realm != "master" # Cleanup: Remove deleted identity providers - name: Remove deleted identity providers community.general.keycloak_identity_provider: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" alias: "{{ item }}" state: absent validate_certs: false loop: "{{ keycloak_removed_identity_providers }}" no_log: true # Cleanup: Remove deleted user federations - name: Remove deleted user federations community.general.keycloak_user_federation: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" name: "{{ item }}" state: absent validate_certs: false loop: "{{ keycloak_removed_user_federations }}" no_log: true # Cleanup: Remove deleted clients - name: Remove deleted clients community.general.keycloak_client: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" client_id: "{{ item }}" state: absent validate_certs: false loop: "{{ keycloak_removed_clients }}" no_log: true # Cleanup: Remove deleted users - name: Remove deleted users community.general.keycloak_user: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" username: "{{ item }}" state: absent validate_certs: false loop: "{{ keycloak_removed_users }}" no_log: true # Cleanup: Remove deleted groups - name: Remove deleted groups community.general.keycloak_group: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" name: "{{ item }}" state: absent validate_certs: false loop: "{{ keycloak_removed_groups }}" no_log: true # Create groups - name: Create groups community.general.keycloak_group: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" name: "{{ item.name }}" state: present validate_certs: false loop: "{{ keycloak_groups }}" no_log: true # Create user federations (LDAP) - name: Create user federations community.general.keycloak_user_federation: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" name: "{{ item.name }}" provider_id: "{{ item.provider_id }}" provider_type: org.keycloak.storage.UserStorageProvider config: "{{ item.config }}" mappers: "{{ item.mappers | default(omit) }}" bind_credential_update_mode: only_indirect state: present validate_certs: false loop: "{{ keycloak_user_federations }}" no_log: true # Create local users - name: Create local users community.general.keycloak_user: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" username: "{{ item.username }}" first_name: "{{ item.first_name | default(omit) }}" last_name: "{{ item.last_name | default(omit) }}" email: "{{ item.email | default(omit) }}" enabled: "{{ item.enabled | default(true) }}" email_verified: "{{ item.email_verified | default(true) }}" credentials: - type: password value: "{{ item.password }}" temporary: false groups: "{{ item.groups | default([]) }}" state: present validate_certs: false loop: "{{ keycloak_local_users }}" no_log: true # Create OIDC clients - name: Create OIDC clients community.general.keycloak_client: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" client_id: "{{ item.client_id }}" name: "{{ item.name | default(item.client_id) }}" enabled: true client_authenticator_type: client-secret secret: "{{ item.client_secret }}" redirect_uris: "{{ item.redirect_uris | default([]) }}" web_origins: "{{ item.web_origins | default(['+']) }}" standard_flow_enabled: true implicit_flow_enabled: false direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(false) }}" protocol: openid-connect default_client_scopes: "{{ item.default_client_scopes | default(['openid', 'email', 'profile']) }}" protocol_mappers: "{{ item.protocol_mappers | default(omit) }}" state: present validate_certs: false loop: "{{ keycloak_oidc_clients }}" no_log: true # Create identity providers - name: Create identity providers community.general.keycloak_identity_provider: auth_keycloak_url: "{{ keycloak_auth_url }}" auth_realm: master auth_username: "{{ keycloak_admin_user }}" auth_password: "{{ keycloak_admin_password }}" realm: "{{ keycloak_realm }}" alias: "{{ item.alias }}" display_name: "{{ item.display_name | default(item.alias) }}" provider_id: "{{ item.provider_id }}" enabled: "{{ item.enabled | default(true) }}" trust_email: "{{ item.trust_email | default(true) }}" first_broker_login_flow_alias: "{{ item.first_broker_login_flow_alias | default('first broker login') }}" config: "{{ item.config }}" state: present validate_certs: false loop: "{{ keycloak_identity_providers }}" no_log: true