After recently watching the Level1techs video on Tailscale, I thought it would be a good time to pull my thumb out and finish looking into hooking up Netbird (which I believe is an opensource alternative to Tailscale).
This led me down the path of configuring Keycloak, as the open source SSO of choice to hook into Netbird (for which they have instructions for manually configuring), after having deployed it using Docker. I wanted to automate the configuration with Terraform/Tofu, so that I could repeat this quickly, and know that if I made a mistake, I could easily rectify and rollout this simple adjustment in code. I got pretty far with it, but got stuck with trying to âconvertâ step 9 to Terraform code, which revolves around assigning the already existing view-users role to the service accounts of the netbird backend client. For this step, I used the following code:
⌠but this doesnât work. I either need to use a different resource type, or somehow identify the existing role not by that string name.
If any of you know what I need to do (itâs simple once you know how, Iâm sure its something really simple that I missed), then I would love your help so I can finish my work and publish it to GitHub for others. I also posted this question yesterday to Stack Overflow if you want to get credit for the answer.
Iâm pretty sure I covered that in the stack overflow post (sorry I didnt include that info here on this forum) as shown below, unless there is something you are saying you did differently?
If the resource is already existing then you donât need to create it, but you need to âfindâ it using the appropriate datasource:
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
data "keycloak_role" "offline_access" {
realm_id = keycloak_realm.realm.id
name = "offline_access"
}
# use the data source
resource "keycloak_group" "group" {
realm_id = keycloak_realm.realm.id
name = "group"
}
resource "keycloak_group_roles" "group_roles" {
realm_id = keycloak_realm.realm.id
group_id = keycloak_group.group.id
role_ids = [
data.keycloak_role.offline_access.id
]
}
but given that then you are only using the role name and not the id, it should not be necessary and the string âview-usersâ should work. ⌠did you set
Obviously I havenât commited every permutation I have tried that failed, but it seems that âoffline accessâ is somewhat different as I was able to pick that one up by name, but there is something special about âview-usersâ that has to do with that ârealm-managementâ pill that shows up beside it in the UI as shown below:
I managed to figure out the solution to my problem in the end and posted the answer on the stack overflow post. It turns out that the ârealm-managementâ pill indicated the name of an additional client that got created in the realm automatically that âownsâ the view-users role. So I just needed to identify the role that way and assign it with this code:
# load in the existing realm-management client
data "keycloak_openid_client" "realm_management_client" {
realm_id = keycloak_realm.realm.id
client_id = "realm-management"
}
# Assign the realm-management view-users role to the netbird backend client's service management
resource "keycloak_openid_client_service_account_role" "service_account_role_assignment" {
realm_id = keycloak_realm.realm.id
service_account_user_id = keycloak_openid_client.netbird_backend_client.service_account_user_id
client_id = data.keycloak_openid_client.realm_management_client.id // ID of the client the role belongs to, not ID of client assigning to.
role = "view-users"
}