\u5ba2\u6237\u7aef\u51ed\u8bc1\u6388\u6743\u8bbe\u7f6e\uff08\u63a8\u8350\uff09<\/p><\/blockquote>\n
\u6839\u636e\u6240\u8ff0\uff0c\u5efa\u8bae\u521b\u5efa\u4e00\u4e2aOIDC\u5ba2\u6237\u7aef\uff0c\u56e0\u6b64\u6211\u4eec\u5c06\u4e3aTerraform\u521b\u5efa\u4e00\u4e2a\u5ba2\u6237\u7aef\u3002<\/p>\n
\u672c\u6b21\u64cd\u4f5c\u5c07\u4f7f\u7528 Terraform \u5275\u5efa Realm\uff0c\u56e0\u6b64\u5728\u4e3b\u8981 Realm \u4e0a\u5275\u5efa\u4ee5\u4e0b\u5ba2\u6236\u7aef\u3002\u5982\u679c\u53ea\u9700\u8981\u5728\u76f8\u61c9\u7684 Realm \u4e2d\u9032\u884c\u64cd\u4f5c\uff0c\u8acb\u5275\u5efa\u4e00\u500b OIDC \u5ba2\u6236\u7aef\u3002<\/p>\n
\u901a\u7528\u8bbe\u7f6e<\/p>\n
- \n
- \n
- Client type: OpenID Connect<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Client ID: terraform<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Name: Terraform<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Description: Terraform Keycloak Provider<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Client authentication: On<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Authorization: Off<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
- Authentication flow: Service accounts role \u306b\u30c1\u30a7\u30c3\u30af<\/ul>\n
\u8fd9\u662f\u4e3a\u4e86\u5b9e\u73b0OpenID Connect\u4e2d\u7684\u5ba2\u6237\u7aef\u51ed\u8bc1\u6d41\u800c\u8fdb\u884c\u7684\u8bbe\u7f6e\u3002<\/p>\n
![\"image02.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d853a913a08637a6b886b\/14-0.png\" "\\"\\"")
<\/div>\n\u4fdd\u5b58\u540e\uff0c\u53ef\u4ee5\u5728Credentials\u9009\u9879\u5361\u4e2d\u627e\u5230\u751f\u6210\u7684\u5ba2\u6237\u7aef\u5bc6\u94a5\uff0c\u5fc5\u987b\u5c06\u5176\u8bb0\u4e0b\u3002<\/p>\n
![\"image03.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d853a913a08637a6b886b\/16-0.png\" "\\"\\"")
<\/div>\n\u63a5\u4e0b\u6765\uff0c\u7ed9\u8be5\u5ba2\u6237\u5206\u914d\u7ba1\u7406\u5458\u89d2\u8272\u3002<\/p>\n
![\"image04.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d853a913a08637a6b886b\/18-0.png\" "\\"\\"")
<\/div>\n\u5982\u679c\u60f3\u8981\u9650\u5236\u5206\u914d\u89d2\u8272\uff0c\u8bf7\u53c2\u8003”\u5206\u914d\u89d2\u8272”\u8fdb\u884c\u8bbe\u7f6e\u3002<\/p>\n
\u5199Terraform\u914d\u7f6e\u6587\u4ef6<\/h2>\n
provider<\/span> \"keycloak\"<\/span> {<\/span>\r\n client_id<\/span> =<\/span> var<\/span>.<\/span>client_id<\/span>\r\n client_secret<\/span> =<\/span> var<\/span>.<\/span>client_secret<\/span>\r\n url<\/span> =<\/span> var<\/span>.<\/span>url<\/span>\r\n}<\/span>\r\n\r\nterraform<\/span> {<\/span>\r\n required_providers<\/span> {<\/span>\r\n keycloak<\/span> =<\/span> {<\/span>\r\n source<\/span> =<\/span> \"mrparkers\/keycloak\"<\/span>\r\n version<\/span> =<\/span> \">= 4.0.0\"<\/span>\r\n }<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nvariable<\/span> \"client_id\"<\/span> {<\/span>\r\n description<\/span> =<\/span> \"Keycloak client_id for Terraform\"<\/span>\r\n}<\/span>\r\n\r\nvariable<\/span> \"client_secret\"<\/span> {<\/span>\r\n description<\/span> =<\/span> \"Keycloak client_secret for Terraform\"<\/span>\r\n}<\/span>\r\n\r\nvariable<\/span> \"url\"<\/span> {<\/span>\r\n description<\/span> =<\/span> \"Keycloak URL\"<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n\u8bf7\u968f\u610f\u4f20\u5165\u9002\u5f53\u7684\u8f93\u5165\u53d8\u91cf\uff0c\u53ef\u4ee5\u662f\u73af\u5883\u53d8\u91cf\u6216*.tfvars\u6587\u4ef6\u3002<\/p>\n
\u7531\u65bcKeycloak Provider\u8207Keycloak\u4e4b\u9593\u7684\u9a57\u8b49\u5df2\u7d93\u5b8c\u6210\uff0c\u73fe\u5728\u70ba\u4e86\u9032\u884c\u64cd\u4f5c\u78ba\u8a8d\uff0c\u8b93\u6211\u5011\u5275\u5efa\u4e00\u500bRealm\u3002<\/p>\n
#####<\/span>\r\n# Realm<\/span>\r\nlocals<\/span> {<\/span>\r\n realm_id<\/span> =<\/span> \"example-realm\"<\/span> # \u3054\u81ea\u7531\u306a\u540d\u524d\u3067\u3069\u3046\u305e<\/span>\r\n}<\/span>\r\n\r\nresource<\/span> \"keycloak_realm\"<\/span> \"realm\"<\/span> {<\/span>\r\n realm<\/span> =<\/span> local<\/span>.<\/span>realm_id<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n\u5f00\u59cb<\/p>\n
$ <\/span>terraform init\r\n\r\nInitializing the backend...\r\n\r\nInitializing provider plugins...\r\n- Finding mrparkers\/keycloak versions matching \">= 4.0.0\"<\/span>...\r\n- Installing mrparkers\/keycloak v4.3.1...\r\n- Installed mrparkers\/keycloak v4.3.1 (<\/span>self-signed, key ID C50867915E116CD2)<\/span>\r\n\r\nPartner and community providers are signed by their developers.\r\nIf you'd like to know more about provider signing, you can read about it here:\r\nhttps:\/\/www.terraform.io\/docs\/cli\/plugins\/signing.html\r\n\r\nTerraform has created a lock file .terraform.lock.hcl to record the provider\r\nselections it made above. Include this file in your version control repository\r\nso that Terraform can guarantee to make the same selections by default when\r\nyou run \"terraform init\" in the future.\r\n\r\nTerraform has been successfully initialized!\r\n\r\nYou may now begin working with Terraform. Try running \"terraform plan\" to see\r\nany changes that are required for your infrastructure. All Terraform commands\r\nshould now work.\r\n\r\nIf you ever set or change modules or backend configuration for Terraform,\r\nrerun this command to reinitialize your working directory. If you forget, other\r\ncommands will detect it and remind you to do so if necessary.\r\n<\/span><\/code><\/pre>\n\u8ba1\u5212<\/p>\n
$ <\/span>terraform plan -var-file<\/span> variables.tfvars\r\n\r\nTerraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:\r\n + create\r\n\r\nTerraform will perform the following actions:\r\n\r\n # keycloak_realm.realm will be created<\/span>\r\n + resource \"keycloak_realm\"<\/span> \"realm\"<\/span> {<\/span>\r\n + access_code_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + access_code_lifespan_login =<\/span> (<\/span>known after apply)<\/span>\r\n + access_code_lifespan_user_action =<\/span> (<\/span>known after apply)<\/span>\r\n + access_token_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + access_token_lifespan_for_implicit_flow =<\/span> (<\/span>known after apply)<\/span>\r\n + action_token_generated_by_admin_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + action_token_generated_by_user_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + browser_flow =<\/span> (<\/span>known after apply)<\/span>\r\n + client_authentication_flow =<\/span> (<\/span>known after apply)<\/span>\r\n + client_session_idle_timeout =<\/span> (<\/span>known after apply)<\/span>\r\n + client_session_max_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + direct_grant_flow =<\/span> (<\/span>known after apply)<\/span>\r\n + docker_authentication_flow =<\/span> (<\/span>known after apply)<\/span>\r\n + duplicate_emails_allowed =<\/span> (<\/span>known after apply)<\/span>\r\n + edit_username_allowed =<\/span> (<\/span>known after apply)<\/span>\r\n + enabled =<\/span> true<\/span>\r\n + id<\/span> =<\/span> (<\/span>known after apply)<\/span>\r\n + internal_id =<\/span> (<\/span>known after apply)<\/span>\r\n + login_with_email_allowed =<\/span> (<\/span>known after apply)<\/span>\r\n + oauth2_device_code_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + oauth2_device_polling_interval =<\/span> (<\/span>known after apply)<\/span>\r\n + offline_session_idle_timeout =<\/span> (<\/span>known after apply)<\/span>\r\n + offline_session_max_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + offline_session_max_lifespan_enabled =<\/span> false<\/span>\r\n + realm =<\/span> \"example-realm\"<\/span>\r\n + refresh_token_max_reuse =<\/span> 0\r\n + registration_allowed =<\/span> (<\/span>known after apply)<\/span>\r\n + registration_email_as_username =<\/span> (<\/span>known after apply)<\/span>\r\n + registration_flow =<\/span> (<\/span>known after apply)<\/span>\r\n + remember_me =<\/span> (<\/span>known after apply)<\/span>\r\n + reset_credentials_flow =<\/span> (<\/span>known after apply)<\/span>\r\n + reset_password_allowed =<\/span> (<\/span>known after apply)<\/span>\r\n + revoke_refresh_token =<\/span> false<\/span>\r\n + ssl_required =<\/span> \"external\"<\/span>\r\n + sso_session_idle_timeout =<\/span> (<\/span>known after apply)<\/span>\r\n + sso_session_idle_timeout_remember_me =<\/span> (<\/span>known after apply)<\/span>\r\n + sso_session_max_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + sso_session_max_lifespan_remember_me =<\/span> (<\/span>known after apply)<\/span>\r\n + user_managed_access =<\/span> false<\/span>\r\n + verify_email =<\/span> (<\/span>known after apply)<\/span>\r\n }<\/span>\r\n\r\nPlan: 1 to add, 0 to change, 0 to destroy.\r\n\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n\r\nNote: You didn't use the -out option to save this plan, so Terraform can'<\/span>t guarantee to take exactly these actions if <\/span>you run \"terraform apply\"<\/span> now.\r\n<\/code><\/pre>\n\u7533\u8bf7<\/p>\n
$ <\/span>terraform apply -var-file<\/span> variables.tfvars\r\n\r\nTerraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:\r\n + create\r\n\r\nTerraform will perform the following actions:\r\n\r\n # keycloak_realm.realm will be created<\/span>\r\n + resource \"keycloak_realm\"<\/span> \"realm\"<\/span> {<\/span>\r\n + access_code_lifespan =<\/span> (<\/span>known after apply)<\/span>\r\n + access_code_lifespan_login =<\/span> (<\/span>known after apply)<\/span>\r\n + access_code_lifespan_user_action =<\/span>
<\/p>\n
- \n
- \n
<\/p>\n
- Always display in console: off<\/ul>\n
![\"image01.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d853a913a08637a6b886b\/10-0.png\" "\\"\\"")
<\/div>\n\u80fd\u529b\u914d\u7f6e<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n
- \n