feat: 🔒 add keycloak password policy

cloud-pi-native · Oct 25, 2023 · e92669d · e92669d
1 parent 78c8096
commit e92669d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
@@ -157,6 +157,7 @@
     id: dso
     realm: dso
     display_name: Dso Realm
+    password_policy: "length(8) and lowerCase(1) and upperCase(1) and specialChars(1) and digits(1) and passwordHistory(1) and notUsername() and forceExpiredPasswordChange(365)"
     enabled: true
 
 - name: Get keycloak dso realm users from API
@@ -183,7 +184,7 @@
   block:
     - name: Generate admin user password
       ansible.builtin.set_fact:
-        admin_user_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}"
+        admin_user_password: "{{ lookup('community.general.random_string', length=16, min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}"
 
     - name: Create dso secret
       kubernetes.core.k8s: