Add validation of realm client and id

playbooks/keycloak_federation.yml

@@ -0,0 +1,68 @@
+---
+- name: Playbook for Keycloak Hosts
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_user_federation:
+          - realm: TestRealm
+            name: my-ldap
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            config:
+              priority: '0'
+              enabled: true
+              cachePolicy: DEFAULT
+              batchSizeForSync: '1000'
+              editMode: READ_ONLY
+              importEnabled: true
+              syncRegistrations: false
+              vendor: other
+              usernameLDAPAttribute: uid
+              rdnLDAPAttribute: uid
+              uuidLDAPAttribute: entryUUID
+              userObjectClasses: inetOrgPerson, organizationalPerson
+              connectionUrl: ldaps://ldap.example.com:636
+              usersDn: ou=Users,dc=example,dc=com
+              authType: simple
+              bindDn: cn=directory reader
+              bindCredential: password
+              searchScope: '1'
+              validatePasswordPolicy: false
+              trustEmail: false
+              useTruststoreSpi: ldapsOnly
+              connectionPooling: true
+              pagination: true
+              allowKerberosAuthentication: false
+              debug: false
+              useKerberosForPasswordAuthentication: false
+            mappers:
+              - name: "full name"
+                providerId: "full-name-ldap-mapper"
+                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+                config:
+                  ldap.full.name.attribute: cn
+                  read.only: true
+                  write.only: false
+        keycloak_clients:
+          - name: TestClient1
+            client_id: TestClient1
+            roles:
+              - TestClient1Admin
+              - TestClient1User
+            realm: "{{ keycloak_realm }}"
+            public_client: True
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users:
+            - username: TestUser
+              password: password
+              client_roles:
+                - client: TestClient1
+                  role: TestClient1User
+                  realm: "{{ keycloak_realm }}"

playbooks/keycloak_realm.yml

@@ -1,67 +1,28 @@
 ---
 - name: Playbook for Keycloak Hosts
   hosts: all
-  tasks:
+  vars:
-    - name: Keycloak Realm Role
+    keycloak_admin_password: "remembertochangeme"
-      ansible.builtin.include_role:
+    keycloak_realm: TestRealm
-        name: middleware_automation.keycloak.keycloak_realm
+    keycloak_clients:
-      vars:
+      - name: TestClient1
-        keycloak_admin_password: "remembertochangeme"
+        client_id: TestClient1
-        keycloak_realm: TestRealm
+        roles:
-        keycloak_user_federation:
+          - TestClient1Admin
-          - realm: TestRealm
+          - TestClient1User
-            name: my-ldap
+        realm: "{{ keycloak_realm }}"
-            provider_id: ldap
+        public_client: True
-            provider_type: org.keycloak.storage.UserStorageProvider
+        web_origins:
-            config:
+          - http://testclient1origin/application
-              priority: '0'
+          - http://testclient1origin/other
-              enabled: true
+        users:
-              cachePolicy: DEFAULT
+        - username: TestUser
-              batchSizeForSync: '1000'
+          password: password
-              editMode: READ_ONLY
+          client_roles:
-              importEnabled: true
+            - client: TestClient1
-              syncRegistrations: false
+              role: TestClient1User
-              vendor: other
+              realm: "{{ keycloak_realm }}"
-              usernameLDAPAttribute: uid
+  collections:
-              rdnLDAPAttribute: uid
+    - middleware_automation.keycloak  
-              uuidLDAPAttribute: entryUUID
+  roles:
-              userObjectClasses: inetOrgPerson, organizationalPerson
+    - keycloak_realm
-              connectionUrl: ldaps://ldap.example.com:636
-              usersDn: ou=Users,dc=example,dc=com
-              authType: simple
-              bindDn: cn=directory reader
-              bindCredential: password
-              searchScope: '1'
-              validatePasswordPolicy: false
-              trustEmail: false
-              useTruststoreSpi: ldapsOnly
-              connectionPooling: true
-              pagination: true
-              allowKerberosAuthentication: false
-              debug: false
-              useKerberosForPasswordAuthentication: false
-            mappers:
-              - name: "full name"
-                providerId: "full-name-ldap-mapper"
-                providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-                config:
-                  ldap.full.name.attribute: cn
-                  read.only: true
-                  write.only: false
-        keycloak_clients:
-          - name: TestClient1
-            roles:
-              - TestClient1Admin
-              - TestClient1User
-            realm: "{{ keycloak_realm }}"
-            public_client: True
-            web_origins:
-              - http://testclient1origin/application
-              - http://testclient1origin/other
-            users:
-            - username: TestUser
-              password: password
-              client_roles:
-                - client: TestClient1
-                  role: TestClient1User
-                  realm: "{{ keycloak_realm }}"

roles/keycloak/tasks/main.yml

@@ -36,6 +36,7 @@
     state: link
     src: "{{ keycloak_jboss_home }}/standalone/log"
     dest: /var/log/keycloak
+  become: yes
 
 - name: Set admin credentials and restart if not already created
   block:

roles/keycloak_realm/README.md

@@ -71,6 +71,8 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
 
 ```yaml
     - name: <name of the client>
+      id: <id of the client>
+      client_id: <id of the client>
       roles: <keycloak_client_default_roles>
       realm: <name of the realm that contains the client>
       public_client: <true for public, false for confidential>
@@ -78,6 +80,9 @@ Refer to [docs](https://docs.ansible.com/ansible/latest/collections/community/ge
       users: <keycloak_client_users>
 ```
 
+`name` and either `id` or `client_id` are required.
+
+
 * `keycloak_client_users`, a list of:
 
 ```yaml

roles/keycloak_realm/tasks/main.yml

@@ -53,6 +53,17 @@
   loop: "{{ keycloak_user_federation | flatten }}"
   when: keycloak_user_federation is defined
 
+- name: Validate Keycloak clients
+  ansible.builtin.assert:
+    that:
+      - item.name is defined and item.name | length > 0
+      - (item.client_id is defined and item.client_id | length > 0) or (item.id is defined and item.id | length > 0)
+    fail_msg: "For each keycloak client, attributes `name` and either `id` or `client_id` is required"
+    quiet: True
+  loop: "{{ keycloak_clients | flatten }}"
+  loop_control:
+    label: "{{ item.name | default('unnamed client') }}"
+
 - name: Create or update a Keycloak client
   community.general.keycloak_client:
     auth_client_id: "{{ keycloak_auth_client }}"
@@ -97,4 +108,4 @@
   loop: "{{ keycloak_clients | flatten }}"
   loop_control:
     loop_var: client
-  when: "'users' in client"
+  when: "'users' in client"