keycloak(atlas): default TOTP required action

services/keycloak/realm-settings-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-10
+  name: keycloak-realm-settings-11
   namespace: sso
 spec:
   backoffLimit: 0
@@ -137,6 +137,33 @@ spec:
               if status not in (200, 204):
                   raise SystemExit(f"Unexpected realm update response: {status}")
 
+              # Ensure MFA is on by default for newly-created users.
+              status, required_actions = http_json(
+                  "GET",
+                  f"{base_url}/admin/realms/{realm}/authentication/required-actions",
+                  access_token,
+              )
+              if status == 200 and isinstance(required_actions, list):
+                  for action in required_actions:
+                      if not isinstance(action, dict):
+                          continue
+                      if action.get("alias") != "CONFIGURE_TOTP":
+                          continue
+                      if action.get("enabled") is True and action.get("defaultAction") is True:
+                          break
+                      action["enabled"] = True
+                      action["defaultAction"] = True
+                      status, _ = http_json(
+                          "PUT",
+                          f"{base_url}/admin/realms/{realm}/authentication/required-actions/CONFIGURE_TOTP",
+                          access_token,
+                          action,
+                      )
+                      if status not in (200, 204):
+                          raise SystemExit(
+                              f"Unexpected required-action update response for CONFIGURE_TOTP: {status}"
+                          )
+
               # Disable Identity Provider Redirector in the browser flow for this realm.
               status, executions = http_json(
                   "GET",