189 lines
No EOL
6.3 KiB
YAML
189 lines
No EOL
6.3 KiB
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# Keycloak provisioning tasks
|
|
# Create realm (if not master)
|
|
- name: Create Keycloak realm
|
|
community.general.keycloak_realm:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
display_name: "{{ keycloak_realm_display_name }}"
|
|
enabled: true
|
|
state: present
|
|
validate_certs: false
|
|
no_log: true
|
|
when: keycloak_realm != "master"
|
|
|
|
# Cleanup: Remove deleted identity providers
|
|
- name: Remove deleted identity providers
|
|
community.general.keycloak_identity_provider:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
alias: "{{ item }}"
|
|
state: absent
|
|
validate_certs: false
|
|
loop: "{{ keycloak_removed_identity_providers }}"
|
|
no_log: true
|
|
|
|
# Cleanup: Remove deleted user federations
|
|
- name: Remove deleted user federations
|
|
community.general.keycloak_user_federation:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
name: "{{ item }}"
|
|
state: absent
|
|
validate_certs: false
|
|
loop: "{{ keycloak_removed_user_federations }}"
|
|
no_log: true
|
|
|
|
# Cleanup: Remove deleted clients
|
|
- name: Remove deleted clients
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
client_id: "{{ item }}"
|
|
state: absent
|
|
validate_certs: false
|
|
loop: "{{ keycloak_removed_clients }}"
|
|
no_log: true
|
|
|
|
# Cleanup: Remove deleted users
|
|
- name: Remove deleted users
|
|
community.general.keycloak_user:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
username: "{{ item }}"
|
|
state: absent
|
|
validate_certs: false
|
|
loop: "{{ keycloak_removed_users }}"
|
|
no_log: true
|
|
|
|
# Cleanup: Remove deleted groups
|
|
- name: Remove deleted groups
|
|
community.general.keycloak_group:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
name: "{{ item }}"
|
|
state: absent
|
|
validate_certs: false
|
|
loop: "{{ keycloak_removed_groups }}"
|
|
no_log: true
|
|
|
|
# Create groups
|
|
- name: Create groups
|
|
community.general.keycloak_group:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
name: "{{ item.name }}"
|
|
state: present
|
|
validate_certs: false
|
|
loop: "{{ keycloak_groups }}"
|
|
no_log: true
|
|
|
|
# Create user federations (LDAP)
|
|
- name: Create user federations
|
|
community.general.keycloak_user_federation:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
name: "{{ item.name }}"
|
|
provider_id: "{{ item.provider_id }}"
|
|
provider_type: org.keycloak.storage.UserStorageProvider
|
|
config: "{{ item.config }}"
|
|
mappers: "{{ item.mappers | default(omit) }}"
|
|
bind_credential_update_mode: only_indirect
|
|
state: present
|
|
validate_certs: false
|
|
loop: "{{ keycloak_user_federations }}"
|
|
no_log: true
|
|
|
|
# Create local users
|
|
- name: Create local users
|
|
community.general.keycloak_user:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
username: "{{ item.username }}"
|
|
first_name: "{{ item.first_name | default(omit) }}"
|
|
last_name: "{{ item.last_name | default(omit) }}"
|
|
email: "{{ item.email | default(omit) }}"
|
|
enabled: "{{ item.enabled | default(true) }}"
|
|
email_verified: "{{ item.email_verified | default(true) }}"
|
|
credentials:
|
|
- type: password
|
|
value: "{{ item.password }}"
|
|
temporary: false
|
|
groups: "{{ item.groups | default([]) }}"
|
|
state: present
|
|
validate_certs: false
|
|
loop: "{{ keycloak_local_users }}"
|
|
no_log: true
|
|
|
|
# Create OIDC clients
|
|
- name: Create OIDC clients
|
|
community.general.keycloak_client:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
client_id: "{{ item.client_id }}"
|
|
name: "{{ item.name | default(item.client_id) }}"
|
|
enabled: true
|
|
client_authenticator_type: client-secret
|
|
secret: "{{ item.client_secret }}"
|
|
redirect_uris: "{{ item.redirect_uris | default([]) }}"
|
|
web_origins: "{{ item.web_origins | default(['+']) }}"
|
|
standard_flow_enabled: true
|
|
implicit_flow_enabled: false
|
|
direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(false) }}"
|
|
protocol: openid-connect
|
|
default_client_scopes: "{{ item.default_client_scopes | default(['openid', 'email', 'profile']) }}"
|
|
state: present
|
|
validate_certs: false
|
|
loop: "{{ keycloak_oidc_clients }}"
|
|
no_log: true
|
|
|
|
# Create identity providers
|
|
- name: Create identity providers
|
|
community.general.keycloak_identity_provider:
|
|
auth_keycloak_url: "{{ keycloak_auth_url }}"
|
|
auth_realm: master
|
|
auth_username: "{{ keycloak_admin_user }}"
|
|
auth_password: "{{ keycloak_admin_password }}"
|
|
realm: "{{ keycloak_realm }}"
|
|
alias: "{{ item.alias }}"
|
|
display_name: "{{ item.display_name | default(item.alias) }}"
|
|
provider_id: "{{ item.provider_id }}"
|
|
enabled: "{{ item.enabled | default(true) }}"
|
|
trust_email: "{{ item.trust_email | default(true) }}"
|
|
first_broker_login_flow_alias: "{{ item.first_broker_login_flow_alias | default('first broker login') }}"
|
|
config: "{{ item.config }}"
|
|
state: present
|
|
validate_certs: false
|
|
loop: "{{ keycloak_identity_providers }}"
|
|
no_log: true |