chore: pmci create/assign default client roles

- "internal-system-scope:system:admin" - "internal-system-scope:system:workflow-admin" - "internal-system-scope:system:process-data-reader"
2 years ago · f010fca28c
parent 9100f299a9
commit f010fca28c
4 changed files with 77 additions and 3 deletions
--- a/roles/connect_realm/tasks/assign_client_roles.yml
+++ b/roles/connect_realm/tasks/assign_client_roles.yml
@ -0,0 +1,22 @@
+---
+- name: "Read keycloak user id for <{{ connect_client_admin_username }}>"
+  include_role:
+    name: keycloak
+    tasks_from: _read_keycloak_user_id
+
+- name: "Map client roles to <{{ connect_client_admin_username }}>"
+  community.general.keycloak_user_rolemapping:
+    auth_realm: "master"
+    auth_client_id: "admin-cli"
+    auth_username: "{{ keycloak_admin_username }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth"
+    state: present
+    realm: "{{ current_realm_name }}"
+    client_id: "{{ client.clientId }}"
+    uid: "{{ keycloak_user_id }}"
+    roles: "{{ current_client_roles }}"
+  with_items: "{{ current_realm_clients | default([]) }}"
+  loop_control:
+    loop_var: client
+  delegate_to: localhost
--- a/roles/connect_realm/tasks/create_client_role.yml
+++ b/roles/connect_realm/tasks/create_client_role.yml
@ -0,0 +1,16 @@
+---
+- name: "Create keycloak client roles"
+  community.general.keycloak_role:
+    auth_realm: "master"
+    auth_client_id: "admin-cli"
+    auth_username: "{{ keycloak_admin_username }}"
+    auth_password: "{{ keycloak_admin_password }}"
+    auth_keycloak_url: "{{ shared_service_url_keycloak }}/auth"
+    state: present
+    name: "{{ role }}"
+    realm: "{{ current_realm_name }}"
+    client_id: "{{ client.clientId }}"
+  with_items: "{{ current_realm_clients | default([]) }}"
+  loop_control:
+    loop_var: client
+  delegate_to: localhost
--- a/roles/connect_realm/tasks/main.yml
+++ b/roles/connect_realm/tasks/main.yml
@ -1,7 +1,4 @@
 ---
-
-### tags:
-
 - name: "Authenticate on keycloak for {{ inventory_hostname }}"
  include_role:
    name: keycloak
@ -21,3 +18,25 @@
  include_role:
    name: keycloak
    tasks_from: _create_realm_admin
+
+- name: "Create <internal-system-scope> client roles"
+  include_role:
+    name: connect_realm
+    tasks_from: create_client_role
+  with_items:
+    - "internal-system-scope:system:admin"
+    - "internal-system-scope:system:workflow-admin"
+    - "internal-system-scope:system:process-data-reader"
+  loop_control:
+    loop_var: role
+
+- name: "Assign <internal-system-scope> client roles to <{{ connect_client_admin_username }}>"
+  include_role:
+    name: connect_realm
+    tasks_from: assign_client_roles
+  vars:
+    current_username: "{{ connect_client_admin_username }}"
+    current_client_roles:
+      - name: "internal-system-scope:system:admin"
+      - name: "internal-system-scope:system:workflow-admin"
+      - name: "internal-system-scope:system:process-data-reader"
--- a/roles/keycloak/tasks/_read_keycloak_user_id.yml
+++ b/roles/keycloak/tasks/_read_keycloak_user_id.yml
@ -0,0 +1,17 @@
+---
+- name: "Reading users by username <{{ current_username }}> from realm <{{ current_realm_name }}>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ shared_service_url_keycloak }}/auth/admin/realms/{{ current_realm_name }}/users?username={{ current_username }}"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ access_token }} "
+    status_code: [200]
+  register: keycloak_user_result
+
+- name: "Reading user id for username <{{ current_username }}>"
+  set_fact:
+    keycloak_user_id: "{{ keycloak_user_result.json | json_query(querystr1) | first }}"
+  vars:
+    querystr1: "[*].id"