resource "keycloak_realm" "realm" { # Docs: https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/realm realm = "XDR" enabled = true display_name = "AFS eXtended Detection and Response" display_name_html = "AFS XDR" user_managed_access = false #login_theme = "base" # account_theme = "" # admin_theme = "" # email_theme = "" registration_allowed = false edit_username_allowed = true reset_password_allowed = false remember_me = false verify_email = true login_with_email_allowed = true duplicate_emails_allowed = false ssl_required = "all" # default_signature_algorithm = ""? # revoke_refresh_token = "" # refresh_token_max_reuse = "" # TODO: Wes, Brad, Asha or somebody better should review these: sso_session_idle_timeout = "1h" # (Optional) The amount of time a session can be idle before it expires. sso_session_max_lifespan = "8h" # (Optional) The maximum amount of time before a session expires regardless of activity. # offline_session_idle_timeout = "" # (Optional) The amount of time an offline session can be idle before it expires. # offline_session_max_lifespan = "" # (Optional) The maximum amount of time before an offline session expires regardless of activity. # offline_session_max_lifespan_enabled = "" # (Optional) Enable offline_session_max_lifespan. #access_token_lifespan = "1h" # (Optional) The amount of time an access token can be used before it expires. # access_token_lifespan_for_implicit_flow = "" # (Optional) The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires. # access_code_lifespan = "" # (Optional) The maximum amount of time a client has to finish the authorization code flow. # access_code_lifespan_login = "" # (Optional) The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted. # access_code_lifespan_user_action = "" # (Optional) The maximum amount of time a user has to complete login related actions, such as updating a password. # action_token_generated_by_user_lifespan = "" # (Optional) The maximum time a user has to use a user-generated permit before it expires. # action_token_generated_by_admin_lifespan = "" # (Optional) The maximum time a user has to use an admin-generated permit before it expires. password_policy = "upperCase(1) and length(12) and forceExpiredPasswordChange(90) and notUsername" smtp_server { host = "mailrelay.${ var.dns_info["private"]["zone"] }" from = "keycloak@${ var.dns_info["public"]["zone"] }" from_display_name = "AFS XDR KeyCloak" reply_to = "xdr.eng@accenturefederal.com" reply_to_display_name = "XDR Engineering" } #attributes = { # mycustomAttribute = "myCustomValue" #} internationalization { supported_locales = [ "en", "de", "es" ] default_locale = "en" } security_defenses { headers { x_frame_options = "DENY" content_security_policy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" content_security_policy_report_only = "" x_content_type_options = "nosniff" x_robots_tag = "none" x_xss_protection = "1; mode=block" strict_transport_security = "max-age=31536000; includeSubDomains" } brute_force_detection { permanent_lockout = false# (Optional) When true, this will lock the user permanently when the user exceeds the maximum login failures. max_login_failures = 3 # (Optional) How many failures before wait is triggered. wait_increment_seconds = 60 # (Optional) This represents the amount of time a user should be locked out when the login failure threshold has been met. quick_login_check_milli_seconds = 1000 # (Optional) Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. minimum_quick_login_wait_seconds = 60 # (Optional) How long to wait after a quick login failure. max_failure_wait_seconds = 900 # (Optional) Max. time a user will be locked out. failure_reset_time_seconds = 43200 # (Optional) When will failure count be reset? } } #web_authn_policy { # relying_party_entity_name = "Example" # relying_party_id = "keycloak.example.com" # signature_algorithms = ["ES256", "RS256"] #} }