AFS
/
xdr-terraform-modules


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
							resource "keycloak_realm" "realm" {
  # Docs: https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/realm
  realm             = "XDR"
  enabled           = true
  display_name      = "AFS eXtended Detection and Response"
  display_name_html = "<b>AFS XDR</b>"

  user_managed_access = false

  #login_theme = "base"
  # account_theme = ""
  # admin_theme = ""
  # email_theme = ""

  registration_allowed = false
  edit_username_allowed = true
  reset_password_allowed = false
  remember_me = false
  verify_email = true
  login_with_email_allowed = true
  duplicate_emails_allowed = false
  ssl_required = "all"

  # default_signature_algorithm = ""?
  # revoke_refresh_token = ""
  # refresh_token_max_reuse = ""

  # TODO: Wes, Brad, Asha or somebody better should review these:
  sso_session_idle_timeout = "1h" # (Optional) The amount of time a session can be idle before it expires.
  sso_session_max_lifespan = "8h" # (Optional) The maximum amount of time before a session expires regardless of activity.
  # offline_session_idle_timeout = "" # (Optional) The amount of time an offline session can be idle before it expires.
  # offline_session_max_lifespan = "" # (Optional) The maximum amount of time before an offline session expires regardless of activity.
  # offline_session_max_lifespan_enabled = "" # (Optional) Enable offline_session_max_lifespan.
  #access_token_lifespan = "1h" # (Optional) The amount of time an access token can be used before it expires.
  # access_token_lifespan_for_implicit_flow = "" # (Optional) The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
  # access_code_lifespan = "" # (Optional) The maximum amount of time a client has to finish the authorization code flow.
  # access_code_lifespan_login = "" # (Optional) The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
  # access_code_lifespan_user_action = "" # (Optional) The maximum amount of time a user has to complete login related actions, such as updating a password.
  # action_token_generated_by_user_lifespan = "" # (Optional) The maximum time a user has to use a user-generated permit before it expires.
  # action_token_generated_by_admin_lifespan = "" # (Optional) The maximum time a user has to use an admin-generated permit before it expires.

  password_policy = "upperCase(1) and length(12) and forceExpiredPasswordChange(90) and notUsername"

  smtp_server {
    host = "mailrelay.${ var.dns_info["private"]["zone"] }"
    from = "keycloak@${ var.dns_info["public"]["zone"] }"
    from_display_name = "AFS XDR KeyCloak"
    reply_to = "xdr.eng@accenturefederal.com"
    reply_to_display_name = "XDR Engineering"
  }

  #attributes      = {
  #  mycustomAttribute = "myCustomValue"
  #}

  internationalization {
    supported_locales = [
      "en",
      "de",
      "es"
    ]
    default_locale    = "en"
  }

  security_defenses {
    headers {
      x_frame_options                     = "DENY"
      content_security_policy             = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
      content_security_policy_report_only = ""
      x_content_type_options              = "nosniff"
      x_robots_tag                        = "none"
      x_xss_protection                    = "1; mode=block"
      strict_transport_security           = "max-age=31536000; includeSubDomains"
    }
    brute_force_detection {
      permanent_lockout  = false# (Optional) When true, this will lock the user permanently when the user exceeds the maximum login failures.
      max_login_failures  = 3 # (Optional) How many failures before wait is triggered.
      wait_increment_seconds  = 60 # (Optional) This represents the amount of time a user should be locked out when the login failure threshold has been met.
      quick_login_check_milli_seconds  = 1000 # (Optional) Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
      minimum_quick_login_wait_seconds  = 60 # (Optional) How long to wait after a quick login failure.
      max_failure_wait_seconds  = 900 # (Optional) Max. time a user will be locked out.
      failure_reset_time_seconds  = 43200 # (Optional) When will failure count be reset?
    }
  }

  #web_authn_policy {
  #  relying_party_entity_name = "Example"
  #  relying_party_id          = "keycloak.example.com"
  #  signature_algorithms      = ["ES256", "RS256"]
  #}
}