diff --git a/docs/data_sources/keycloak_group.md b/docs-old/data_sources/keycloak_group.md similarity index 100% rename from docs/data_sources/keycloak_group.md rename to docs-old/data_sources/keycloak_group.md diff --git a/docs/data_sources/keycloak_openid_client.md b/docs-old/data_sources/keycloak_openid_client.md similarity index 100% rename from docs/data_sources/keycloak_openid_client.md rename to docs-old/data_sources/keycloak_openid_client.md diff --git a/docs/data_sources/keycloak_realm.md b/docs-old/data_sources/keycloak_realm.md similarity index 100% rename from docs/data_sources/keycloak_realm.md rename to docs-old/data_sources/keycloak_realm.md diff --git a/docs/data_sources/keycloak_realm_keys.md b/docs-old/data_sources/keycloak_realm_keys.md similarity index 100% rename from docs/data_sources/keycloak_realm_keys.md rename to docs-old/data_sources/keycloak_realm_keys.md diff --git a/docs/data_sources/keycloak_role.md b/docs-old/data_sources/keycloak_role.md similarity index 100% rename from docs/data_sources/keycloak_role.md rename to docs-old/data_sources/keycloak_role.md diff --git a/docs/data_sources/keycloak_saml_client_installation_provider.md b/docs-old/data_sources/keycloak_saml_client_installation_provider.md similarity index 100% rename from docs/data_sources/keycloak_saml_client_installation_provider.md rename to docs-old/data_sources/keycloak_saml_client_installation_provider.md diff --git a/docs/index.css b/docs-old/index.css similarity index 100% rename from docs/index.css rename to docs-old/index.css diff --git a/docs-old/index.md b/docs-old/index.md new file mode 100644 index 00000000..58380f7e --- /dev/null +++ b/docs-old/index.md @@ -0,0 +1,83 @@ +# Installing + +You can download the latest version of this provider on the +[GitHub releases](https://github.com/mrparkers/terraform-provider-keycloak/releases) +page. + +Please follow the [official docs](https://www.terraform.io/docs/configuration/providers.html#third-party-plugins) +for instructions on installing a third-party provider. + +# Keycloak Setup + +This Terraform provider can be configured to use the [client credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/) +or [password](https://www.oauth.com/oauth2-servers/access-tokens/password-grant/) grant types. If you aren't +sure which to use, the client credentials grant is recommended, as it was designed for machine to machine authentication. + +## Client Credentials Grant Setup (recommended) + +1. Create a new client using the `openid-connect` protocol. This client can be created in the `master` realm if you would +like to manage your entire Keycloak instance, or in any other realm if you only want to manage that realm. +1. Update the client you just created: + 1. Set "Access Type" to "confidential". + 1. Set "Standard Flow Enabled" to "OFF". + 1. Set "Direct Access Grants Enabled" to "OFF" + 1. Set "Service Accounts Enabled" to "ON". +1. Grant required roles for managing Keycloak via the "Service Account Roles" tab in the client you created in step 1. + +## Password Grant Setup + +These steps will assume that you are using the `admin-cli` client, which is already correctly configured for this type +of authentication. Do not follow these steps if you have already followed the steps for the client credentials grant. + +1. Create or identify the user whose credentials will be used for authentication. +1. Edit this user in the "Users" section of the management console and assign roles using the "Role Mappings" tab. + +## Assigning Roles + +There are many ways that roles can be assigned to manage Keycloak. Here are a couple of common scenarios accompanied +by suggested roles to assign. This is not an exhaustive list, and there is often more than one way to assign a particular set +of permissions. + +- Managing the entire Keycloak instance: Assign the `admin` role to a user or service account within the `master` realm. +- Managing the entire `foo` realm: Assign the `realm-admin` client role from the `realm-management` client to a user or service +account within the `foo` realm. +- Managing clients for all realms within the entire Keycloak instance: Assign the `create-client` client role from each of +the realm clients to a user or service account within the `master` realm. For example, given a Keycloak instance with realms +`master`, `foo`, and `bar`, assign the `create-client` client role from the clients `master-realm`, `foo-realm`, and `bar-realm`. + +# Provider Setup + +The following provider attributes are supported: + +- `client_id` (Required) - The `client_id` for the client that was created in the "Keycloak Setup" section. Use the `admin-cli` client if you are using the password grant. Defaults to the environment variable `KEYCLOAK_CLIENT_ID`. +- `url` (Required) - The URL of the Keycloak instance, before `/auth/admin`. Defaults to the environment variable `KEYCLOAK_URL`. +- `client_secret` (Optional) - The secret for the client used by the provider for authentication via the client credentials grant. This can be found or changed using the "Credentials" tab in the client settings. Defaults to the environment variable `KEYCLOAK_CLIENT_SECRET`. This attribute is required when using the client credentials grant, and cannot be set when using the password grant. +- `username` (Optional) - The username of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_USER`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. +- `password` (Optional) - The password of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_PASSWORD`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. +- `realm` (Optional) - The realm used by the provider for authentication. Defaults to environment variable `KEYCLOAK_REALM`, or `master` if the environment variable is not specified. +- `initial_login` (Optional) - Optionally avoid Keycloak login during provider setup, for when Keycloak itself is being provisioned by terraform. Defaults to true, which is the original method. +- `client_timeout` (Optional) - Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or 5 is the environment variable is not specified. +- `tls_insecure_skip_verify` (Optional) - Allows ignoring insecure certificates when set to true. Defaults to false. Disabling security check is dangerous and should be avoided. +- `root_ca_certificate` (Optional) - Allows x509 calls using an unknown CA certificate (for development purposes) +- `base_path` (Optional) - The base path used for accessing the Keycloak REST API. Defaults to `/auth` + +#### Example (client credentials) + +```hcl +provider "keycloak" { + client_id = "terraform" + client_secret = "884e0f95-0f42-4a63-9b1f-94274655669e" + url = "http://localhost:8080" +} +``` + +#### Example (password) + +```hcl +provider "keycloak" { + client_id = "admin-cli" + username = "keycloak" + password = "password" + url = "http://localhost:8080" +} +``` diff --git a/docs/resources/keycloak_attribute_importer_identity_provider_mapper.md b/docs-old/resources/keycloak_attribute_importer_identity_provider_mapper.md similarity index 100% rename from docs/resources/keycloak_attribute_importer_identity_provider_mapper.md rename to docs-old/resources/keycloak_attribute_importer_identity_provider_mapper.md diff --git a/docs/resources/keycloak_authentication_execution.md b/docs-old/resources/keycloak_authentication_execution.md similarity index 100% rename from docs/resources/keycloak_authentication_execution.md rename to docs-old/resources/keycloak_authentication_execution.md diff --git a/docs/resources/keycloak_authentication_execution_config.md b/docs-old/resources/keycloak_authentication_execution_config.md similarity index 100% rename from docs/resources/keycloak_authentication_execution_config.md rename to docs-old/resources/keycloak_authentication_execution_config.md diff --git a/docs/resources/keycloak_custom_user_federation.md b/docs-old/resources/keycloak_custom_user_federation.md similarity index 100% rename from docs/resources/keycloak_custom_user_federation.md rename to docs-old/resources/keycloak_custom_user_federation.md diff --git a/docs/resources/keycloak_default_groups.md b/docs-old/resources/keycloak_default_groups.md similarity index 100% rename from docs/resources/keycloak_default_groups.md rename to docs-old/resources/keycloak_default_groups.md diff --git a/docs/resources/keycloak_generic_client_protocol_mapper.md b/docs-old/resources/keycloak_generic_client_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_generic_client_protocol_mapper.md rename to docs-old/resources/keycloak_generic_client_protocol_mapper.md diff --git a/docs/resources/keycloak_generic_client_role_mapper.md b/docs-old/resources/keycloak_generic_client_role_mapper.md similarity index 100% rename from docs/resources/keycloak_generic_client_role_mapper.md rename to docs-old/resources/keycloak_generic_client_role_mapper.md diff --git a/docs/resources/keycloak_group.md b/docs-old/resources/keycloak_group.md similarity index 100% rename from docs/resources/keycloak_group.md rename to docs-old/resources/keycloak_group.md diff --git a/docs/resources/keycloak_group_memberships.md b/docs-old/resources/keycloak_group_memberships.md similarity index 100% rename from docs/resources/keycloak_group_memberships.md rename to docs-old/resources/keycloak_group_memberships.md diff --git a/docs/resources/keycloak_group_roles.md b/docs-old/resources/keycloak_group_roles.md similarity index 100% rename from docs/resources/keycloak_group_roles.md rename to docs-old/resources/keycloak_group_roles.md diff --git a/docs/resources/keycloak_identity_provider_token_exchange_scope_permission.md b/docs-old/resources/keycloak_identity_provider_token_exchange_scope_permission.md similarity index 100% rename from docs/resources/keycloak_identity_provider_token_exchange_scope_permission.md rename to docs-old/resources/keycloak_identity_provider_token_exchange_scope_permission.md diff --git a/docs/resources/keycloak_ldap_full_name_mapper.md b/docs-old/resources/keycloak_ldap_full_name_mapper.md similarity index 100% rename from docs/resources/keycloak_ldap_full_name_mapper.md rename to docs-old/resources/keycloak_ldap_full_name_mapper.md diff --git a/docs/resources/keycloak_ldap_group_mapper.md b/docs-old/resources/keycloak_ldap_group_mapper.md similarity index 100% rename from docs/resources/keycloak_ldap_group_mapper.md rename to docs-old/resources/keycloak_ldap_group_mapper.md diff --git a/docs/resources/keycloak_ldap_hardcoded_role_mapper.md b/docs-old/resources/keycloak_ldap_hardcoded_role_mapper.md similarity index 100% rename from docs/resources/keycloak_ldap_hardcoded_role_mapper.md rename to docs-old/resources/keycloak_ldap_hardcoded_role_mapper.md diff --git a/docs/resources/keycloak_ldap_msad_lds_user_account_control_mapper.md b/docs-old/resources/keycloak_ldap_msad_lds_user_account_control_mapper.md similarity index 100% rename from docs/resources/keycloak_ldap_msad_lds_user_account_control_mapper.md rename to docs-old/resources/keycloak_ldap_msad_lds_user_account_control_mapper.md diff --git a/docs/resources/keycloak_ldap_msad_user_account_control_mapper.md b/docs-old/resources/keycloak_ldap_msad_user_account_control_mapper.md similarity index 100% rename from docs/resources/keycloak_ldap_msad_user_account_control_mapper.md rename to docs-old/resources/keycloak_ldap_msad_user_account_control_mapper.md diff --git a/docs/resources/keycloak_ldap_user_attribute_mapper.md b/docs-old/resources/keycloak_ldap_user_attribute_mapper.md similarity index 100% rename from docs/resources/keycloak_ldap_user_attribute_mapper.md rename to docs-old/resources/keycloak_ldap_user_attribute_mapper.md diff --git a/docs/resources/keycloak_ldap_user_federation.md b/docs-old/resources/keycloak_ldap_user_federation.md similarity index 100% rename from docs/resources/keycloak_ldap_user_federation.md rename to docs-old/resources/keycloak_ldap_user_federation.md diff --git a/docs/resources/keycloak_oidc_identity_provider.md b/docs-old/resources/keycloak_oidc_identity_provider.md similarity index 100% rename from docs/resources/keycloak_oidc_identity_provider.md rename to docs-old/resources/keycloak_oidc_identity_provider.md diff --git a/docs/resources/keycloak_openid_audience_protocol_mapper.md b/docs-old/resources/keycloak_openid_audience_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_audience_protocol_mapper.md rename to docs-old/resources/keycloak_openid_audience_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_client.md b/docs-old/resources/keycloak_openid_client.md similarity index 100% rename from docs/resources/keycloak_openid_client.md rename to docs-old/resources/keycloak_openid_client.md diff --git a/docs/resources/keycloak_openid_client_default_scopes.md b/docs-old/resources/keycloak_openid_client_default_scopes.md similarity index 100% rename from docs/resources/keycloak_openid_client_default_scopes.md rename to docs-old/resources/keycloak_openid_client_default_scopes.md diff --git a/docs/resources/keycloak_openid_client_optional_scopes.md b/docs-old/resources/keycloak_openid_client_optional_scopes.md similarity index 100% rename from docs/resources/keycloak_openid_client_optional_scopes.md rename to docs-old/resources/keycloak_openid_client_optional_scopes.md diff --git a/docs/resources/keycloak_openid_client_scope.md b/docs-old/resources/keycloak_openid_client_scope.md similarity index 100% rename from docs/resources/keycloak_openid_client_scope.md rename to docs-old/resources/keycloak_openid_client_scope.md diff --git a/docs/resources/keycloak_openid_client_service_account_role.md b/docs-old/resources/keycloak_openid_client_service_account_role.md similarity index 100% rename from docs/resources/keycloak_openid_client_service_account_role.md rename to docs-old/resources/keycloak_openid_client_service_account_role.md diff --git a/docs/resources/keycloak_openid_full_name_protocol_mapper.md b/docs-old/resources/keycloak_openid_full_name_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_full_name_protocol_mapper.md rename to docs-old/resources/keycloak_openid_full_name_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_group_membership_protocol_mapper.md b/docs-old/resources/keycloak_openid_group_membership_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_group_membership_protocol_mapper.md rename to docs-old/resources/keycloak_openid_group_membership_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_hardcoded_claim_protocol_mapper.md b/docs-old/resources/keycloak_openid_hardcoded_claim_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_hardcoded_claim_protocol_mapper.md rename to docs-old/resources/keycloak_openid_hardcoded_claim_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_hardcoded_role_protocol_mapper.md b/docs-old/resources/keycloak_openid_hardcoded_role_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_hardcoded_role_protocol_mapper.md rename to docs-old/resources/keycloak_openid_hardcoded_role_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_user_attribute_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_attribute_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_user_attribute_protocol_mapper.md rename to docs-old/resources/keycloak_openid_user_attribute_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_user_client_role_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_client_role_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_user_client_role_protocol_mapper.md rename to docs-old/resources/keycloak_openid_user_client_role_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_user_property_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_property_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_user_property_protocol_mapper.md rename to docs-old/resources/keycloak_openid_user_property_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_user_realm_role_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_realm_role_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_user_realm_role_protocol_mapper.md rename to docs-old/resources/keycloak_openid_user_realm_role_protocol_mapper.md diff --git a/docs/resources/keycloak_openid_user_session_note_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_session_note_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_openid_user_session_note_protocol_mapper.md rename to docs-old/resources/keycloak_openid_user_session_note_protocol_mapper.md diff --git a/docs/resources/keycloak_realm.md b/docs-old/resources/keycloak_realm.md similarity index 100% rename from docs/resources/keycloak_realm.md rename to docs-old/resources/keycloak_realm.md diff --git a/docs/resources/keycloak_realm_events.md b/docs-old/resources/keycloak_realm_events.md similarity index 100% rename from docs/resources/keycloak_realm_events.md rename to docs-old/resources/keycloak_realm_events.md diff --git a/docs/resources/keycloak_role.md b/docs-old/resources/keycloak_role.md similarity index 100% rename from docs/resources/keycloak_role.md rename to docs-old/resources/keycloak_role.md diff --git a/docs/resources/keycloak_saml_client.md b/docs-old/resources/keycloak_saml_client.md similarity index 100% rename from docs/resources/keycloak_saml_client.md rename to docs-old/resources/keycloak_saml_client.md diff --git a/docs/resources/keycloak_saml_client_default_scopes.md b/docs-old/resources/keycloak_saml_client_default_scopes.md similarity index 100% rename from docs/resources/keycloak_saml_client_default_scopes.md rename to docs-old/resources/keycloak_saml_client_default_scopes.md diff --git a/docs/resources/keycloak_saml_client_scope.md b/docs-old/resources/keycloak_saml_client_scope.md similarity index 100% rename from docs/resources/keycloak_saml_client_scope.md rename to docs-old/resources/keycloak_saml_client_scope.md diff --git a/docs/resources/keycloak_saml_identity_provider.md b/docs-old/resources/keycloak_saml_identity_provider.md similarity index 100% rename from docs/resources/keycloak_saml_identity_provider.md rename to docs-old/resources/keycloak_saml_identity_provider.md diff --git a/docs/resources/keycloak_saml_user_attribute_protocol_mapper.md b/docs-old/resources/keycloak_saml_user_attribute_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_saml_user_attribute_protocol_mapper.md rename to docs-old/resources/keycloak_saml_user_attribute_protocol_mapper.md diff --git a/docs/resources/keycloak_saml_user_property_protocol_mapper.md b/docs-old/resources/keycloak_saml_user_property_protocol_mapper.md similarity index 100% rename from docs/resources/keycloak_saml_user_property_protocol_mapper.md rename to docs-old/resources/keycloak_saml_user_property_protocol_mapper.md diff --git a/docs/resources/keycloak_user.md b/docs-old/resources/keycloak_user.md similarity index 100% rename from docs/resources/keycloak_user.md rename to docs-old/resources/keycloak_user.md diff --git a/docs/resources/keycloak_user_roles.md b/docs-old/resources/keycloak_user_roles.md similarity index 100% rename from docs/resources/keycloak_user_roles.md rename to docs-old/resources/keycloak_user_roles.md diff --git a/docs/data-sources/group.md b/docs/data-sources/group.md new file mode 100644 index 00000000..6c45b499 --- /dev/null +++ b/docs/data-sources/group.md @@ -0,0 +1,47 @@ +--- +page_title: "keycloak_group Data Source" +--- + +# keycloak\_group Data Source + +This data source can be used to fetch properties of a Keycloak group for +usage with other resources, such as `keycloak_group_roles`. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +data "keycloak_role" "offline_access" { + realm_id = keycloak_realm.realm.id + name = "offline_access" +} + +data "keycloak_group" "group" { + realm_id = keycloak_realm.realm.id + name = "group" +} + +resource "keycloak_group_roles" "group_roles" { + realm_id = keycloak_realm.realm.id + group_id = data.keycloak_group.group.id + + role_ids = [ + data.keycloak_role.offline_access.id + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this group exists within. +- `name` - (Required) The name of the group. If there are multiple groups match `name`, the first result will be returned. + +## Attributes Reference + +- `id` - (Computed) The unique ID of the group, which can be used as an argument to + other resources supported by this provider. + diff --git a/docs/data-sources/openid_client.md b/docs/data-sources/openid_client.md new file mode 100644 index 00000000..0adf4398 --- /dev/null +++ b/docs/data-sources/openid_client.md @@ -0,0 +1,32 @@ +--- +page_title: "keycloak_openid_client Data Source" +--- + +# keycloak\_openid\_client Data Source + +This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. + +## Example Usage + +```hcl +data "keycloak_openid_client" "realm_management" { + realm_id = "my-realm" + client_id = "realm-management" +} + +# use the data source +data "keycloak_role" "admin" { + realm_id = "my-realm" + client_id = data.keycloak_openid_client.realm_management.id + name = "realm-admin" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm id. +- `client_id` - (Required) The client id (not its unique ID). + +## Attributes Reference + +See the docs for the `keycloak_openid_client` resource for details on the exported attributes. diff --git a/docs/data-sources/openid_client_authorization_policy.md b/docs/data-sources/openid_client_authorization_policy.md new file mode 100644 index 00000000..a297d645 --- /dev/null +++ b/docs/data-sources/openid_client_authorization_policy.md @@ -0,0 +1,83 @@ +--- +page_title: "keycloak_openid_client_authorization_policy Data Source" +--- + +# keycloak\_openid\_client\_authorization\_policy Data Source + +This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled. + +## Example Usage + +In this example, we'll create a new OpenID client with authorization enabled. This will cause Keycloak to create a default +permission for this client called "Default Permission". We'll use the `keycloak_openid_client_authorization_policy` data +source to fetch information about this permission, so we can use it to create a new resource-based authorization permission. + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "client_with_authz" { + client_id = "client-with-authz" + name = "client-with-authz" + realm_id = keycloak_realm.realm.id + + access_type = "CONFIDENTIAL" + service_accounts_enabled = true + + authorization { + policy_enforcement_mode = "ENFORCING" + } +} + +data "keycloak_openid_client_authorization_policy" "default_permission" { + realm_id = keycloak_realm.test.id + resource_server_id = keycloak_openid_client.client_with_authz.resource_server_id + name = "Default Permission" +} + +resource "keycloak_openid_client_authorization_resource" "resource" { + resource_server_id = keycloak_openid_client.client_with_authz.resource_server_id + name = "authorization-resource" + realm_id = keycloak_realm.test.id + + uris = [ + "/endpoint/*", + ] + + attributes = { + "foo" = "bar" + } +} + +resource "keycloak_openid_client_authorization_permission" "permission" { + resource_server_id = keycloak_openid_client.client_with_authz.resource_server_id + realm_id = keycloak_realm.test.id + name = "authorization-permission" + + policies = [ + data.keycloak_openid_client_authorization_policy.default_permission.id, + ] + + resources = [ + keycloak_openid_client_authorization_resource.resource.id, + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this authorization policy exists within. +- `name` - (Required) The name of the authorization policy. +- `resource_server_id` - (Required) The ID of the resource server this authorization policy is attached to. + +## Attributes Reference + +- `decision_strategy` - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of `AFFIRMATIVE`, `CONSENSUS`, or `UNANIMOUS`. Applies to permissions. +- `owner` - (Computed) The ID of the owning resource. Applies to resources. +- `logic` - (Computed) Dictates how the policy decision should be made. Can be either `POSITIVE` or `NEGATIVE`. Applies to policies. +- `policies` - (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions. +- `resources` - (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions. +- `scopes` - (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions. +- `type` - (Computed) The type of this policy / permission. For permissions, this could be `resource` or `scope`. For policies, this could be any type of authorization policy, such as `js`. diff --git a/docs/data-sources/openid_client_service_account_user.md b/docs/data-sources/openid_client_service_account_user.md new file mode 100644 index 00000000..9d345a89 --- /dev/null +++ b/docs/data-sources/openid_client_service_account_user.md @@ -0,0 +1,64 @@ +--- +page_title: "keycloak_openid_client_service_account_user Data Source" +--- + +# keycloak\_openid\_client\_service\_account\_user Data Source + +This data source can be used to fetch information about the service account user that is associated with an OpenID client +that has service accounts enabled. + +## Example Usage + +In this example, we'll create an OpenID client with service accounts enabled. This causes Keycloak to create a special user +that represents the service account. We'll use this data source to grab this user's ID in order to assign some roles to this +user, using the `keycloak_user_roles` resource. + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + name = "client" + + access_type = "CONFIDENTIAL" + service_accounts_enabled = true +} + +data "keycloak_openid_client_service_account_user" "service_account_user" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client.id +} + +data "keycloak_role" "offline_access" { + realm_id = keycloak_realm.realm.id + name = "offline_access" +} + +resource "keycloak_user_roles" "service_account_user_roles" { + realm_id = keycloak_realm.realm.id + user_id = data.keycloak_openid_client_service_account_user.service_account_user.id + + role_ids = [ + data.keycloak_role.offline_access.id + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that the OpenID client exists within. +- `client_id` - (Required) The ID of the OpenID client with service accounts enabled. + +## Attributes Reference + +`username` - (Computed) The service account user's username. +`email` - (Computed) The service account user's email. +`first_name` - (Computed) The service account user's first name. +`last_name` - (Computed) The service account user's last name. +`enabled` - (Computed) Whether or not the service account user is enabled. +`attributes` - (Computed) The service account user's attributes. +`federated_identities` - (Computed) This attribute exists in order to adhere to the spec of a Keycloak user, but a service account user will never have a federated identity, so this will always be `null`. diff --git a/docs/data-sources/realm.md b/docs/data-sources/realm.md new file mode 100644 index 00000000..c1f75674 --- /dev/null +++ b/docs/data-sources/realm.md @@ -0,0 +1,32 @@ +--- +page_title: "keycloak_realm Data Source" +--- + +# keycloak\_realm Data Source + +This data source can be used to fetch properties of a Keycloak realm for +usage with other resources. + +## Example Usage + +```hcl +data "keycloak_realm" "realm" { + realm = "my-realm" +} + +# use the data source + +resource "keycloak_role" "group" { + realm_id = data.keycloak_realm.realm.id + name = "group" +} + +``` + +## Argument Reference + +- `realm` - (Required) The realm name. + +## Attributes Reference + +See the docs for the `keycloak_realm` resource for details on the exported attributes. diff --git a/docs/data-sources/realm_keys.md b/docs/data-sources/realm_keys.md new file mode 100644 index 00000000..41689b1e --- /dev/null +++ b/docs/data-sources/realm_keys.md @@ -0,0 +1,52 @@ +--- +page_title: "keycloak_realm_keys Data Source" +--- + +# keycloak\_realm\_keys Data Source + +Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. + +Remarks: + +- A key must meet all filter criteria +- This data source may return more than one value. +- If no key matches the filter criteria, then an error will be returned. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +data "keycloak_realm_keys" "realm_keys" { + realm_id = keycloak_realm.realm + algorithms = ["AES", "RS256"] + status = ["ACTIVE", "PASSIVE"] +} + +# show certificate of first key: +output "certificate" { + value = data.keycloak_realm_keys.realm_keys.keys[0].certificate +} + +``` + +## Argument Reference + +- `realm_id` - (Required) The realm from which the keys will be retrieved. +- `algorithms` - (Optional) When specified, keys will be filtered by algorithm. The algorithms can be any of `HS256`, `RS256`,`AES`, etc. +- `status` - (Optional) When specified, keys will be filtered by status. The statuses can be any of `ACTIVE`, `DISABLED` and `PASSIVE`. + +## Attributes Reference + +- `keys` - (Computed) A list of keys that match the filter criteria. Each key has the following attributes: + - `algorithm` - Key algorithm (string) + - `certificate` - Key certificate (string) + - `provider_id` - Key provider ID (string) + - `provider_priority` - Key provider priority (int64) + - `kid` - Key ID (string) + - `public_key` - Key public key (string) + - `status` - Key status (string) + - `type` - Key type (string) diff --git a/docs/data-sources/role.md b/docs/data-sources/role.md new file mode 100644 index 00000000..210676e9 --- /dev/null +++ b/docs/data-sources/role.md @@ -0,0 +1,49 @@ +--- +page_title: "keycloak_role Data Source" +--- + +# keycloak\_role Data Source + +This data source can be used to fetch properties of a Keycloak role for +usage with other resources, such as `keycloak_group_roles`. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +data "keycloak_role" "offline_access" { + realm_id = keycloak_realm.realm.id + name = "offline_access" +} + +# use the data source + +resource "keycloak_group" "group" { + realm_id = keycloak_realm.realm.id + name = "group" +} + +resource "keycloak_group_roles" "group_roles" { + realm_id = keycloak_realm.realm.id + group_id = keycloak_group.group.id + + role_ids = [ + data.keycloak_role.offline_access.id + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this role exists within. +- `client_id` - (Optional) When specified, this role is assumed to be a client role belonging to the client with the provided ID. The `id` attribute of a `keycloak_client` resource should be used here. +- `name` - (Required) The name of the role. + +## Attributes Reference + +- `id` - (Computed) The unique ID of the role, which can be used as an argument to other resources supported by this provider. +- `description` - (Computed) The description of the role. diff --git a/docs/data-sources/saml_client_installation_provider.md b/docs/data-sources/saml_client_installation_provider.md new file mode 100644 index 00000000..45dcdfdf --- /dev/null +++ b/docs/data-sources/saml_client_installation_provider.md @@ -0,0 +1,54 @@ +--- +page_title: "keycloak_saml_client_installation_provider Data Source" +--- + +# keycloak\_saml\_client\_installation\_provider Data Source + +This data source can be used to retrieve Installation Provider of a SAML Client. + +## Example Usage + +In the example below, we extract the SAML metadata IDPSSODescriptor to pass it to the AWS IAM SAML Provider. + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_client" "saml_client" { + realm_id = keycloak_realm.realm.id + client_id = "test-saml-client" + name = "test-saml-client" + + sign_documents = false + sign_assertions = true + include_authn_statement = true + + signing_certificate = file("saml-cert.pem") + signing_private_key = file("saml-key.pem") +} + +data "keycloak_saml_client_installation_provider" "saml_idp_descriptor" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_saml_client.saml_client.id + provider_id = "saml-idp-descriptor" +} + + +resource "aws_iam_saml_provider" "default" { + name = "myprovider" + saml_metadata_document = data.keycloak_saml_client_installation_provider.saml_idp_descriptor.value +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that the SAML client exists within. +- `client_id` - (Required) The ID of the SAML client. The `id` attribute of a `keycloak_client` resource should be used here. +- `provider_id` - (Required) The ID of the SAML installation provider. Could be one of `saml-idp-descriptor`, `keycloak-saml`, `saml-sp-descriptor`, `keycloak-saml-subsystem`, `mod-auth-mellon`, etc. + +## Attributes Reference + +- `id` - (Computed) The hash of the value. +- `value` - (Computed) The returned document needed for SAML installation. diff --git a/docs/index.md b/docs/index.md index cf691c8e..ddcb2221 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,19 +1,18 @@ -# Installing +--- +page_title: "Keycloak Provider" +--- -You can download the latest version of this provider on the -[GitHub releases](https://github.com/mrparkers/terraform-provider-keycloak/releases) -page. +# Keycloak Provider -Please follow the [official docs](https://www.terraform.io/docs/configuration/providers.html#third-party-plugins) -for instructions on installing a third-party provider. +The Keycloak provider can be used to interact with [Keycloak](https://www.keycloak.org/). -# Keycloak Setup +## Keycloak Setup This Terraform provider can be configured to use the [client credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/) or [password](https://www.oauth.com/oauth2-servers/access-tokens/password-grant/) grant types. If you aren't sure which to use, the client credentials grant is recommended, as it was designed for machine to machine authentication. -## Client Credentials Grant Setup (recommended) +### Client Credentials Grant Setup (recommended) 1. Create a new client using the `openid-connect` protocol. This client can be created in the `master` realm if you would like to manage your entire Keycloak instance, or in any other realm if you only want to manage that realm. @@ -24,17 +23,17 @@ like to manage your entire Keycloak instance, or in any other realm if you only 1. Set "Service Accounts Enabled" to "ON". 1. Grant required roles for managing Keycloak via the "Service Account Roles" tab in the client you created in step 1. -## Password Grant Setup +### Password Grant Setup These steps will assume that you are using the `admin-cli` client, which is already correctly configured for this type of authentication. Do not follow these steps if you have already followed the steps for the client credentials grant. -1. Create or identify the user who's credentials will be used for authentication. +1. Create or identify the user whose credentials will be used for authentication. 1. Edit this user in the "Users" section of the management console and assign roles using the "Role Mappings" tab. -## Assigning Roles +### Assigning Roles -There are many different ways that roles can be assigned to manage Keycloak. Here are a couple of common scenarios accompanied +There are many ways that roles can be assigned to manage Keycloak. Here are a couple of common scenarios accompanied by suggested roles to assign. This is not an exhaustive list, and there is often more than one way to assign a particular set of permissions. @@ -45,23 +44,7 @@ account within the `foo` realm. the realm clients to a user or service account within the `master` realm. For example, given a Keycloak instance with realms `master`, `foo`, and `bar`, assign the `create-client` client role from the clients `master-realm`, `foo-realm`, and `bar-realm`. -# Provider Setup - -The following provider attributes are supported: - -- `client_id` (Required) - The `client_id` for the client that was created in the "Keycloak Setup" section. Use the `admin-cli` client if you are using the password grant. Defaults to the environment variable `KEYCLOAK_CLIENT_ID`. -- `url` (Required) - The URL of the Keycloak instance, before `/auth/admin`. Defaults to the environment variable `KEYCLOAK_URL`. -- `client_secret` (Optional) - The secret for the client used by the provider for authentication via the client credentials grant. This can be found or changed using the "Credentials" tab in the client settings. Defaults to the environment variable `KEYCLOAK_CLIENT_SECRET`. This attribute is required when using the client credentials grant, and cannot be set when using the password grant. -- `username` (Optional) - The username of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_USER`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. -- `password` (Optional) - The password of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_PASSWORD`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. -- `realm` (Optional) - The realm used by the provider for authentication. Defaults to environment variable `KEYCLOAK_REALM`, or `master` if the environment variable is not specified. -- `initial_login` (Optional) - Optionally avoid Keycloak login during provider setup, for when Keycloak itself is being provisioned by terraform. Defaults to true, which is the original method. -- `client_timeout` (Optional) - Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or 5 is the environment variable is not specified. -- `tls_insecure_skip_verify` (Optional) - Allows ignoring insecure certificates when set to true. Defaults to false. Disabling security check is dangerous and should be avoided. -- `root_ca_certificate` (Optional) - Allows x509 calls using an unknown CA certificate (for development purposes) -- `base_path` (Optional) - The base path used for accessing the Keycloak REST API. Defaults to `/auth` - -#### Example (client credentials) +## Example Usage (client credentials grant) ```hcl provider "keycloak" { @@ -71,7 +54,7 @@ provider "keycloak" { } ``` -#### Example (password) +## Example Usage (password grant) ```hcl provider "keycloak" { @@ -81,3 +64,19 @@ provider "keycloak" { url = "http://localhost:8080" } ``` + +## Argument Reference + +The following arguments are supported: + +- `client_id` - (Required) The `client_id` for the client that was created in the "Keycloak Setup" section. Use the `admin-cli` client if you are using the password grant. Defaults to the environment variable `KEYCLOAK_CLIENT_ID`. +- `url` - (Required) The URL of the Keycloak instance, before `/auth/admin`. Defaults to the environment variable `KEYCLOAK_URL`. +- `client_secret` - (Optional) The secret for the client used by the provider for authentication via the client credentials grant. This can be found or changed using the "Credentials" tab in the client settings. Defaults to the environment variable `KEYCLOAK_CLIENT_SECRET`. This attribute is required when using the client credentials grant, and cannot be set when using the password grant. +- `username` - (Optional) The username of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_USER`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. +- `password` - (Optional) The password of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_PASSWORD`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. +- `realm` - (Optional) The realm used by the provider for authentication. Defaults to environment variable `KEYCLOAK_REALM`, or `master` if the environment variable is not specified. +- `initial_login` - (Optional) Optionally avoid Keycloak login during provider setup, for when Keycloak itself is being provisioned by terraform. Defaults to true, which is the original method. +- `client_timeout` - (Optional) Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or 5 is the environment variable is not specified. +- `tls_insecure_skip_verify` - (Optional) Allows ignoring insecure certificates when set to true. Defaults to false. Disabling security check is dangerous and should be avoided. +- `root_ca_certificate` - (Optional) Allows x509 calls using an unknown CA certificate (for development purposes) +- `base_path` - (Optional) The base path used for accessing the Keycloak REST API. Defaults to `/auth` diff --git a/docs/resources/attribute_importer_identity_provider_mapper.md b/docs/resources/attribute_importer_identity_provider_mapper.md new file mode 100644 index 00000000..dfee8493 --- /dev/null +++ b/docs/resources/attribute_importer_identity_provider_mapper.md @@ -0,0 +1,70 @@ +--- +page_title: "keycloak_attribute_importer_identity_provider_mapper Resource" +--- + +# keycloak\_attribute\_importer\_identity\_provider\_mapper Resource + +Allows for creating and managing an attribute importer identity provider mapper within Keycloak. + +The attribute importer mapper can be used to map attributes from externally defined users to attributes or properties of the imported Keycloak user: +- For the OIDC identity provider, this will map a claim on the ID or access token to an attribute for the imported Keycloak user. +- For the SAML identity provider, this will map a SAML attribute found within the assertion to an attribute for the imported Keycloak user. +- For social identity providers, this will map a JSON field from the user profile to an attribute for the imported Keycloak user. + +~> If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_oidc_identity_provider" "oidc" { + realm = keycloak_realm.realm.id + alias = "oidc" + authorization_url = "https://example.com/auth" + token_url = "https://example.com/token" + client_id = "example_id" + client_secret = "example_token" + default_scopes = "openid random profile" +} + +resource "keycloak_attribute_importer_identity_provider_mapper" "oidc" { + realm = keycloak_realm.realm.id + name = "email-attribute-importer" + claim_name = "my-email-claim" + identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias + user_attribute = "email" + + # extra_config with syncMode is required in Keycloak 10+ + extra_config = { + syncMode = "INHERIT" + } +} +``` + +## Argument Reference + +The following arguments are supported: + +- `realm` - (Required) The name of the realm. +- `name` - (Required) The name of the mapper. +- `identity_provider_alias` - (Required) The alias of the associated identity provider. +- `user_attribute` - (Required) The user attribute or property name to store the mapped result. +- `attribute_name` - (Optional) For SAML based providers, this is the name of the attribute to search for in the assertion. Conflicts with `attribute_friendly_name`. +- `attribute_friendly_name` - (Optional) For SAML based providers, this is the friendly name of the attribute to search for in the assertion. Conflicts with `attribute_name`. +- `claim_name` - (Optional) For OIDC based providers, this is the name of the claim to use. +- `extra_config` - (Optional) Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + +## Import + +Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak +assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. + +Example: + +```bash +$ terraform import keycloak_attribute_importer_identity_provider_mapper.test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b +``` diff --git a/docs/resources/authentication_execution.md b/docs/resources/authentication_execution.md new file mode 100644 index 00000000..da9acd8a --- /dev/null +++ b/docs/resources/authentication_execution.md @@ -0,0 +1,63 @@ +--- +page_title: "keycloak_authentication_execution Resource" +--- + +# keycloak\_authentication\_execution Resource + +Allows for creating and managing an authentication execution within Keycloak. + +An authentication execution is an action that the user or service may or may not take when authenticating through an authentication +flow. + +~> Due to limitations in the Keycloak API, the ordering of authentication executions within a flow must be specified using `depends_on`. Authentication executions that are created first will appear first within the flow. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_authentication_flow" "flow" { + realm_id = keycloak_realm.realm.id + alias = "my-flow-alias" +} + +# first execution +resource "keycloak_authentication_execution" "execution_one" { + realm_id = "${keycloak_realm.realm.id}" + parent_flow_alias = "${keycloak_authentication_flow.flow.alias}" + authenticator = "auth-cookie" + requirement = "ALTERNATIVE" +} + +# second execution +resource "keycloak_authentication_execution" "execution_two" { + realm_id = "${keycloak_realm.realm.id}" + parent_flow_alias = "${keycloak_authentication_flow.flow.alias}" + authenticator = "identity-provider-redirector" + requirement = "ALTERNATIVE" + + depends_on = [ + keycloak_authentication_execution.execution_one + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm the authentication execution exists in. +- `parent_flow_alias` - (Required) The alias of the flow this execution is attached to. +- `authenticator` - (Required) The name of the authenticator. This can be found by experimenting with the GUI and looking at HTTP requests within the network tab of your browser's development tools. +- `requirement`- (Optional) The requirement setting, which can be one of `REQUIRED`, `ALTERNATIVE`, `OPTIONAL`, `CONDITIONAL`, or `DISABLED`. Defaults to `DISABLED`. + +## Import + +Authentication executions can be imported using the formats: `{{realmId}}/{{parentFlowAlias}}/{{authenticationExecutionId}}`. + +Example: + +```bash +$ terraform import keycloak_authentication_execution my-realm/my-flow/30559fcf-6fb8-45ea-8c46-2b86f46ebc17 +``` diff --git a/docs/resources/authentication_execution_config.md b/docs/resources/authentication_execution_config.md new file mode 100644 index 00000000..b854da85 --- /dev/null +++ b/docs/resources/authentication_execution_config.md @@ -0,0 +1,56 @@ +--- +page_title: "keycloak_authentication_execution_config Resource" +--- + +# keycloak\_authentication\_execution\_config Resource + +Allows for managing an authentication execution's configuration. If a particular authentication execution supports additional +configuration (such as with the `identity-provider-redirector` execution), this can be managed with this resource. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_authentication_flow" "flow" { + realm_id = keycloak_realm.realm.id + alias = "my-flow-alias" +} + +resource "keycloak_authentication_execution" "execution" { + realm_id = keycloak_realm.realm.id + parent_flow_alias = keycloak_authentication_flow.flow.alias + authenticator = "identity-provider-redirector" +} + +resource "keycloak_authentication_execution_config" "config" { + realm_id = keycloak_realm.realm.id + execution_id = keycloak_authentication_execution.execution.id + alias = "my-config-alias" + config = { + defaultProvider = "my-config-default-idp" + } +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm the authentication execution exists in. +- `execution_id` - (Required) The authentication execution this configuration is attached to. +- `alias` - (Required) The name of the configuration. +- `config` - (Optional) The configuration. Keys are specific to each configurable authentication execution and not checked when applying. + +## Import + +Configurations can be imported using the format `{{realm}}/{{authenticationExecutionId}}/{{authenticationExecutionConfigId}}`. +If the `authenticationExecutionId` is incorrect, the import will still be successful. +A subsequent apply will change the `authenticationExecutionId` to the correct one, which causes the configuration to be replaced. + +Example: + +```bash +$ terraform import keycloak_authentication_execution_config.config my-realm/be081463-ddbf-4b42-9eff-9c97886f24ff/30559fcf-6fb8-45ea-8c46-2b86f46ebc17 +``` diff --git a/docs/resources/authentication_flow.md b/docs/resources/authentication_flow.md new file mode 100644 index 00000000..58877717 --- /dev/null +++ b/docs/resources/authentication_flow.md @@ -0,0 +1,54 @@ +--- +page_title: "keycloak_authentication_flow Resource" +--- + +# keycloak\_authentication\_flow Resource + +Allows for creating and managing an authentication flow within Keycloak. + +[Authentication flows](https://www.keycloak.org/docs/11.0/server_admin/index.html#_authentication-flows) describe a sequence +of actions that a user or service must perform in order to be authenticated to Keycloak. The authentication flow itself +is a container for these actions, which are otherwise known as executions. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_authentication_flow" "flow" { + realm_id = keycloak_realm.realm.id + alias = "my-flow-alias" +} + +resource "keycloak_authentication_execution" "execution" { + realm_id = keycloak_realm.realm.id + parent_flow_alias = keycloak_authentication_flow.flow.alias + authenticator = "identity-provider-redirector" + requirement = "REQUIRED" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that the authentication flow exists in. +- `alias` - (Required) The alias for this authentication flow. +- `description` - (Optional) A description for the authentication flow. +- `provider_id` - (Optional) The type of authentication flow to create. Valid choices include `basic-flow` and `client-flow`. Defaults to `basic-flow`. + +## Import + +Authentication flows can be imported using the format `{{realmId}}/{{authenticationFlowId}}`. The authentication flow ID is +typically a GUID which is autogenerated when the flow is created via Keycloak. + +Unfortunately, it is not trivial to retrieve the authentication flow ID from the UI. The best way to do this is to visit the +"Authentication" page in Keycloak, and use the network tab of your browser to view the response of the API call to `/auth/admin/realms/${realm}/authentication/flows`, +which will be a list of authentication flows. + +Example: + +```bash +$ terraform import keycloak_authentication_flow.flow my-realm/e9a5641e-778c-4daf-89c0-f4ef617987d1 +``` diff --git a/docs/resources/custom_user_federation.md b/docs/resources/custom_user_federation.md new file mode 100644 index 00000000..05ff5901 --- /dev/null +++ b/docs/resources/custom_user_federation.md @@ -0,0 +1,52 @@ +--- +page_title: "keycloak_custom_user_federation Resource" +--- + +# keycloak\_custom\_user\_federation Resource + +Allows for creating and managing custom user federation providers within Keycloak. + +A custom user federation provider is an implementation of Keycloak's [User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). +An example of this implementation can be found [here](https://github.com/mrparkers/terraform-provider-keycloak/tree/master/custom-user-federation-example). + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "test" + enabled = true +} + +resource "keycloak_custom_user_federation" "custom_user_federation" { + name = "custom" + realm_id = keycloak_realm.realm.id + provider_id = "custom" + + enabled = true + + config = { + dummyString = "foobar" + dummyBool = true + } +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this provider will provide user federation for. +- `name` - (Required) Display name of the provider when displayed in the console. +- `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. +- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. +- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. +- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. +- `parent_id` - (Optional) Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. +- `config` - (Optional) The provider configuration handed over to your custom user federation provider. + +## Import + +Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. +The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: + +```bash +$ terraform import keycloak_custom_user_federation.custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 +``` diff --git a/docs/resources/default_groups.md b/docs/resources/default_groups.md new file mode 100644 index 00000000..81784816 --- /dev/null +++ b/docs/resources/default_groups.md @@ -0,0 +1,45 @@ +--- +page_title: "keycloak_default_groups Resource" +--- + +# keycloak\_default\_groups Resource + +Allows for managing a realm's default groups. + +~> You should not use `keycloak_default_groups` with a group whose members are managed by `keycloak_group_memberships`. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_group" "group" { + realm_id = keycloak_realm.realm.id + name = "my-group" +} + +resource "keycloak_default_groups" "default" { + realm_id = keycloak_realm.realm.id + group_ids = [ + keycloak_group.group.id + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this group exists in. +- `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. + +## Import + +Default groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. + +Example: + +```bash +$ terraform import keycloak_default_groups.default my-realm +``` diff --git a/docs/resources/generic_client_protocol_mapper.md b/docs/resources/generic_client_protocol_mapper.md new file mode 100644 index 00000000..b2d220df --- /dev/null +++ b/docs/resources/generic_client_protocol_mapper.md @@ -0,0 +1,61 @@ +--- +page_title: "keycloak_generic_client_protocol_mapper Resource" +--- + +# keycloak\_generic\_client\_protocol\_mapper Resource + +Allows for creating and managing protocol mappers for both types of clients (openid-connect and saml) within Keycloak. + +There are two uses cases for using this resource: +* If you implemented a custom protocol mapper, this resource can be used to configure it +* If the provider doesn't support a particular protocol mapper, this resource can be used instead. + +Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. +Therefore, if possible, a specific mapper should be used. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_client" "saml_client" { + realm_id = keycloak_realm.realm.id + client_id = "test-client" +} + +resource "keycloak_generic_client_protocol_mapper" "saml_hardcode_attribute_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_saml_client.saml_client.id + name = "test-mapper" + protocol = "saml" + protocol_mapper = "saml-hardcode-attribute-mapper" + config = { + "attribute.name" = "name" + "attribute.nameformat" = "Basic" + "attribute.value" = "value" + "friendly.name" = "display name" + } +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `client_id` - (Required) The client this protocol mapper is attached to. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. +- `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be compatible with the specified client. +- `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. + +## Import + +Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_generic_client_protocol_mapper.saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/generic_client_role_mapper.md b/docs/resources/generic_client_role_mapper.md new file mode 100644 index 00000000..72c63773 --- /dev/null +++ b/docs/resources/generic_client_role_mapper.md @@ -0,0 +1,177 @@ +--- +page_title: "keycloak_generic_client_role_mapper Resource" +--- + +# keycloak\_generic\_client\_role\_mapper Resource + +Allow for creating and managing a client's scope mappings within Keycloak. + +By default, all the user role mappings of the user are added as claims within the token (OIDC) or assertion (SAML). When +`full_scope_allowed` is set to `false` for a client, role scope mapping allows you to limit the roles that get declared +inside an access token for a client. + +## Example Usage (Realm Role to Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + name = "client" + + enabled = true + + access_type = "BEARER-ONLY" +} + +resource "keycloak_role" "realm_role" { + realm_id = keycloak_realm.realm.id + name = "my-realm-role" + description = "My Realm Role" +} + +resource "keycloak_generic_client_role_mapper" "client_role_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client.id + role_id = keycloak_role.realm_role.id +} +``` + +## Example Usage (Client Role to Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "client_a" { + realm_id = keycloak_realm.realm.id + client_id = "client-a" + name = "client-a" + + enabled = true + + access_type = "BEARER-ONLY" + + // disable full scope, roles are assigned via keycloak_generic_client_role_mapper + full_scope_allowed = false +} + +resource "keycloak_role" "client_role_a" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client_a.id + name = "my-client-role" + description = "My Client Role" +} + +resource "keycloak_openid_client" "client_b" { + realm_id = keycloak_realm.realm.id + client_id = "client-b" + name = "client-b" + + enabled = true + + access_type = "BEARER-ONLY" +} + +resource "keycloak_role" "client_role_b" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client_b.id + name = "my-client-role" + description = "My Client Role" +} + +resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_client.client_b.id + role_id = keycloak_role.client_role_a.id +} +``` + +## Example Usage (Realm Role to Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "my-client-scope" +} + +resource "keycloak_role" "realm_role" { + realm_id = keycloak_realm.realm.id + name = "my-realm-role" + description = "My Realm Role" +} + +resource "keycloak_generic_client_role_mapper" "client_role_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + role_id = keycloak_role.realm_role.id +} +``` + +## Example Usage (Client Role to Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + name = "client" + + enabled = true + + access_type = "BEARER-ONLY" +} + +resource "keycloak_role" "client_role" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client.id + name = "my-client-role" + description = "My Client Role" +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "my-client-scope" +} + +resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_client_scope.client_scope.id + role_id = keycloak_role.client_role.id +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this role mapper exists within. +- `client_id` - (Optional) The ID of the client this role mapper should be added to. Conflicts with `client_scope_id`. This argument is required if `client_scope_id` is not set. +- `client_scope_id` - (Optional) The ID of the client scope this role mapper should be added to. Conflicts with `client_id`. This argument is required if `client_id` is not set. +- `role_id` - (Required) The ID of the role to be added to this role mapper. + +## Import + +Generic client role mappers can be imported using one of the following two formats: + +- When mapping a role to a client, use the format `{{realmId}}/client/{{clientId}}/scope-mappings/{{roleClientId}}/{{roleId}}` +- When mapping a role to a client scope, use the format `{{realmId}}/client-scope/{{clientScopeId}}/scope-mappings/{{roleClientId}}/{{roleId}}` + +Example: + +```bash +$ terraform import keycloak_generic_client_role_mapper.client_role_mapper my-realm/client/23888550-5dcd-41f6-85ba-554233021e9c/scope-mappings/ce51f004-bdfb-4dd5-a963-c4487d2dec5b/ff3aa49f-bc07-4030-8783-41918c3614a3 +``` diff --git a/docs/resources/group.md b/docs/resources/group.md new file mode 100644 index 00000000..09344d90 --- /dev/null +++ b/docs/resources/group.md @@ -0,0 +1,67 @@ +--- +page_title: "keycloak_group Resource" +--- + +# keycloak\_group Resource + +Allows for creating and managing Groups within Keycloak. + +Groups provide a logical wrapping for users within Keycloak. Users within a group can share attributes and roles, and +group membership can be mapped to a claim. + +Attributes can also be defined on Groups. + +Groups can also be federated from external data sources, such as LDAP or Active Directory. This resource **should not** +be used to manage groups that were created this way. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_group" "parent_group" { + realm_id = keycloak_realm.realm.id + name = "parent-group" +} + +resource "keycloak_group" "child_group" { + realm_id = keycloak_realm.realm.id + parent_id = keycloak_group.parent_group.id + name = "child-group" +} + +resource "keycloak_group" "child_group_with_optional_attributes" { + realm_id = keycloak_realm.realm.id + parent_id = keycloak_group.parent_group.id + name = "child-group-with-optional-attributes" + attributes = { + "key1" = "value1" + "key2" = "value2" + } +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this group exists in. +- `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. +- `name` - (Required) The name of the group. +- `attributes` - (Optional) A map of key/value pairs to set as custom attributes for the group. + +## Attributes Reference + +- `path` - (Computed) The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. + +## Import + +Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak +assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. + +Example: + +```bash +$ terraform import keycloak_group.child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd +``` diff --git a/docs/resources/group_memberships.md b/docs/resources/group_memberships.md new file mode 100644 index 00000000..f18dedc5 --- /dev/null +++ b/docs/resources/group_memberships.md @@ -0,0 +1,56 @@ +--- +page_title: "keycloak_group_memberships Resource" +--- + +# keycloak\_group\_memberships Resource + +Allows for managing a Keycloak group's members. + +Note that this resource attempts to be an **authoritative** source over group members. When this resource takes control +over a group's members, users that are manually added to the group will be removed, and users that are manually removed +from the group will be added upon the next run of `terraform apply`. + +Also note that you should not use `keycloak_group_memberships` with a group has been assigned as a default group via +`keycloak_default_groups`. + +This resource **should not** be used to control membership of a group that has its members federated from an external +source via group mapping. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_group" "group" { + realm_id = keycloak_realm.realm.id + name = "my-group" +} + +resource "keycloak_user" "user" { + realm_id = keycloak_realm.realm.id + username = "my-user" +} + +resource "keycloak_group_memberships" "group_members" { + realm_id = keycloak_realm.realm.id + group_id = keycloak_group.group.id + + members = [ + keycloak_user.user.username + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this group exists in. +- `group_id` - (Required) The ID of the group this resource should manage memberships for. +- `members` - (Required) A list of usernames that belong to this group. + +## Import + +This resource does not support import. Instead of importing, feel free to create this resource +as if it did not already exist on the server. diff --git a/docs/resources/group_roles.md b/docs/resources/group_roles.md new file mode 100644 index 00000000..d3508471 --- /dev/null +++ b/docs/resources/group_roles.md @@ -0,0 +1,79 @@ +--- +page_title: "keycloak_group_roles Resource" +--- + +# keycloak\_group\_roles Resource + +Allows you to manage roles assigned to a Keycloak group. + +Note that this resource attempts to be an **authoritative** source over group roles. When this resource takes control over +a group's roles, roles that are manually added to the group will be removed, and roles that are manually removed from the +group will be added upon the next run of `terraform apply`. + +Note that when assigning composite roles to a group, you may see a non-empty plan following a `terraform apply` if you +assign a role and a composite that includes that role to the same group. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_role" "realm_role" { + realm_id = keycloak_realm.realm.id + name = "my-realm-role" + description = "My Realm Role" +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + name = "client" + + enabled = true + + access_type = "BEARER-ONLY" +} + +resource "keycloak_role" "client_role" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_client.client.id + name = "my-client-role" + description = "My Client Role" +} + +resource "keycloak_group" "group" { + realm_id = keycloak_realm.realm.id + name = "my-group" +} + +resource "keycloak_group_roles" "group_roles" { + realm_id = keycloak_realm.realm.id + group_id = keycloak_group.group.id + + role_ids = [ + keycloak_role.realm_role.id, + keycloak_role.client_role.id, + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this group exists in. +- `group_id` - (Required) The ID of the group this resource should manage roles for. +- `role_ids` - (Required) A list of role IDs to map to the group + +## Import + +This resource can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak +assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically +a GUID. + +Example: + +```bash +$ terraform import keycloak_group_roles.group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 +``` diff --git a/docs/resources/identity_provider_token_exchange_scope_permission.md b/docs/resources/identity_provider_token_exchange_scope_permission.md new file mode 100644 index 00000000..06ac4050 --- /dev/null +++ b/docs/resources/identity_provider_token_exchange_scope_permission.md @@ -0,0 +1,89 @@ +--- +page_title: "keycloak_identity_provider_token_exchange_scope_permission Resource" +--- + +# keycloak\_identity\_provider\_token\_exchange\_scope\_permission Resource + +Allows you to manage Identity Provider "Token exchange" Scope Based Permissions. + +This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. +More information about enabling the preview feature can be found here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange + +When enabling Identity Provider Permissions, Keycloak does several things automatically: +1. Enable Authorization on build-in realm-management client +1. Create a "token-exchange" scope +1. Create a resource representing the identity provider +1. Create a scope based permission for the "token-exchange" scope and identity provider resource + +The only thing that is missing is a policy set on the permission. +As the policy lives within the context of the realm-management client, you cannot create a policy resource and link to from with your _.tf_ file. This would also cause an implicit cycle dependency. +Thus, the only way to manage this in terraform is to create and manage the policy internally from within this terraform resource itself. +At the moment only a client policy type is supported. The client policy will automatically be created for the clients parameter. + +## Example Usage + +```hcl +resource "keycloak_realm" "token_exchange_realm" { + realm = "token-exchange_destination_realm" + enabled = true +} + +resource "keycloak_oidc_identity_provider" "token_exchange_my_oidc_idp" { + realm = keycloak_realm.token_exchange_realm.id + alias = "myIdp" + authorization_url = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth" + token_url = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token" + client_id = "clientId" + client_secret = "secret" + default_scopes = "openid" +} + +resource "keycloak_openid_client" "token-exchange_webapp_client" { + realm_id = keycloak_realm.token_exchange_realm.id + name = "webapp_client" + client_id = "webapp_client" + client_secret = "secret" + description = "a webapp client on the destination realm" + access_type = "CONFIDENTIAL" + standard_flow_enabled = true + valid_redirect_uris = [ + "http://localhost:8080/*", + ] +} + +//relevant part +resource "keycloak_identity_provider_token_exchange_scope_permission" "oidc_idp_permission" { + realm_id = keycloak_realm.token_exchange_realm.id + provider_alias = keycloak_oidc_identity_provider.token_exchange_my_oidc_idp.alias + policy_type = "client" + clients = [ + keycloak_openid_client.token-exchange_webapp_client.id + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that the identity provider exists in. +- `provider_alias` - (Required) Alias of the identity provider. +- `policy_type` - (Optional) Defaults to "client" This is also the only value policy type supported by this provider. +- `clients` - (Required) A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + +## Attributes Reference + +- `policy_id` - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider. +- `authorization_resource_server_id` - (Computed) Resource server ID representing the realm management client on which this permission is managed. +- `authorization_idp_resource_id` - (Computed) Resource ID representing the identity provider, this automatically created by keycloak. +- `authorization_token_exchange_scope_permission_id` - (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission. + + +## Import + +This resource can be imported using the format `{{realm_id}}/{{provider_alias}}`, where `provider_alias` is the alias that +you assign to the identity provider upon creation. + +Example: + +```bash +$ terraform import keycloak_identity_provider_token_exchange_scope_permission.oidc_idp_permission my-realm/myIdp +``` diff --git a/docs/resources/ldap_full_name_mapper.md b/docs/resources/ldap_full_name_mapper.md new file mode 100644 index 00000000..a2e9f6f2 --- /dev/null +++ b/docs/resources/ldap_full_name_mapper.md @@ -0,0 +1,64 @@ +--- +page_title: "keycloak_ldap_full_name_mapper Resource" +--- + +# keycloak\_ldap\_full\_name\_mapper Resource + +Allows for creating and managing full name mappers for Keycloak users federated via LDAP. + +The LDAP full name mapper can map a user's full name from an LDAP attribute to the first and last name attributes of a +Keycloak user. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "openldap" + realm_id = keycloak_realm.realm.id + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "entryDN" + user_object_classes = [ + "simpleSecurityObject", + "organizationalRole" + ] + + connection_url = "ldap://openldap" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" +} + +resource "keycloak_ldap_full_name_mapper" "ldap_full_name_mapper" { + realm_id = keycloak_realm.realm.id + ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id + name = "full-name-mapper" + ldap_full_name_attribute = "cn" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this LDAP mapper will exist in. +- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. +- `name` - (Required) Display name of this mapper when displayed in the console. +- `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. +- `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. +- `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. + +## Import + +LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. +The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + +Example: + +```bash +$ terraform import keycloak_ldap_full_name_mapper.ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +``` diff --git a/docs/resources/ldap_group_mapper.md b/docs/resources/ldap_group_mapper.md new file mode 100644 index 00000000..5418afeb --- /dev/null +++ b/docs/resources/ldap_group_mapper.md @@ -0,0 +1,84 @@ +--- +page_title: "keycloak_ldap_group_mapper Resource" +--- + +# keycloak\_ldap\_group\_mapper + +Allows for creating and managing group mappers for Keycloak users federated via LDAP. + +The LDAP group mapper can be used to map an LDAP user's groups from some DN to Keycloak groups. This group mapper will also +create the groups within Keycloak if they do not already exist. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "openldap" + realm_id = keycloak_realm.realm.id + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "entryDN" + user_object_classes = [ + "simpleSecurityObject", + "organizationalRole" + ] + + connection_url = "ldap://openldap" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" +} + +resource "keycloak_ldap_group_mapper" "ldap_group_mapper" { + realm_id = keycloak_realm.realm.id + ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id + name = "group-mapper" + + ldap_groups_dn = "dc=example,dc=org" + group_name_ldap_attribute = "cn" + group_object_classes = [ + "groupOfNames" + ] + membership_attribute_type = "DN" + membership_ldap_attribute = "member" + membership_user_ldap_attribute = "cn" + memberof_ldap_attribute = "memberOf" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this LDAP mapper will exist in. +- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. +- `name` - (Required) Display name of this mapper when displayed in the console. +- `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. +- `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. +- `group_object_classes` - (Required) List of strings representing the object classes for the group. Must contain at least one. +- `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. +- `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. +- `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. +- `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. +- `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. +- `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. +- `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. +- `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. +- `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. +- `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. +- `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. + +## Import + +LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. +The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + +Example: + +```bash +$ terraform import keycloak_ldap_group_mapper.ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +``` diff --git a/docs/resources/ldap_hardcoded_role_mapper.md b/docs/resources/ldap_hardcoded_role_mapper.md new file mode 100644 index 00000000..552cfbad --- /dev/null +++ b/docs/resources/ldap_hardcoded_role_mapper.md @@ -0,0 +1,113 @@ +--- +page_title: "keycloak_ldap_hardcoded_role_mapper Resource" +--- + +# keycloak\_ldap\_hardcoded\_role\_mapper Resource + +Allows for creating and managing hardcoded role mappers for Keycloak users federated via LDAP. + +The LDAP hardcoded role mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. + +## Example Usage (realm role) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "openldap" + realm_id = keycloak_realm.realm.id + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "entryDN" + user_object_classes = [ + "simpleSecurityObject", + "organizationalRole" + ] + + connection_url = "ldap://openldap" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" +} + +resource "keycloak_role" "realm_admin_role" { + realm_id = keycloak_realm.realm.id + name = "my-admin-role" + description = "My Realm Role" +} + +resource "keycloak_ldap_hardcoded_role_mapper" "assign_admin_role_to_all_users" { + realm_id = keycloak_realm.realm.id + ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id + name = "assign-admin-role-to-all-users" + role = keycloak_role.realm_admin_role.name +} +``` + +## Example Usage (client role) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "openldap" + realm_id = keycloak_realm.realm.id + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "entryDN" + user_object_classes = [ + "simpleSecurityObject", + "organizationalRole" + ] + + connection_url = "ldap://openldap" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" +} + +// data sources aren't technically necessary here, but they are helpful for demonstration purposes +data "keycloak_openid_client" "realm_management" { + realm_id = keycloak_realm.realm.id + client_id = "realm-management" +} + +data "keycloak_role" "create_client" { + realm_id = keycloak_realm.realm.id + client_id = data.keycloak_openid_client.realm_management.id + name = "create-client" +} + +resource "keycloak_ldap_hardcoded_role_mapper" "assign_admin_role_to_all_users" { + realm_id = keycloak_realm.realm.id + ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id + name = "assign-admin-role-to-all-users" + role = "${data.keycloak_openid_client.realm_management.client_id}.${data.keycloak_role.create_client.name}" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this LDAP mapper will exist in. +- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. +- `name` - (Required) Display name of this mapper when displayed in the console. +- `role` - (Required) The name of the role which should be assigned to the users. Client roles should use the format `{{client_id}}.{{client_role_name}}`. + +## Import + +LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. +The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + +Example: + +```bash +$ terraform import keycloak_ldap_hardcoded_role_mapper.assign_admin_role_to_all_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +``` diff --git a/docs/resources/ldap_msad_lds_user_account_control_mapper.md b/docs/resources/ldap_msad_lds_user_account_control_mapper.md new file mode 100644 index 00000000..c480075b --- /dev/null +++ b/docs/resources/ldap_msad_lds_user_account_control_mapper.md @@ -0,0 +1,63 @@ +--- +page_title: "keycloak_ldap_msad_lds_user_account_control_mapper Resource" +--- + +# keycloak\_ldap\_msad\_lds\_user\_account\_control\_mapper Resource + +Allows for creating and managing MSAD-LDS user account control mappers for Keycloak +users federated via LDAP. + +The MSAD-LDS (Microsoft Active Directory Lightweight Directory Service) user account control mapper is specific +to LDAP user federation providers that are pulling from AD-LDS, and it can propagate +AD-LDS user state to Keycloak in order to enforce settings like expired passwords +or disabled accounts. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "ad" + realm_id = keycloak_realm.realm.id + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "objectGUID" + user_object_classes = [ + "person", + "organizationalPerson", + "user" + ] + connection_url = "ldap://my-ad-server" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" +} + +resource "keycloak_ldap_msad_lds_user_account_control_mapper" "msad_lds_user_account_control_mapper" { + realm_id = keycloak_realm.realm.id + ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id + name = "msad-lds-user-account-control-mapper" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this LDAP mapper will exist in. +- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. +- `name` - (Required) Display name of this mapper when displayed in the console. + +## Import + +LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. +The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + +Example: + +```bash +$ terraform import keycloak_ldap_msad_lds_user_account_control_mapper.msad_lds_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +``` diff --git a/docs/resources/ldap_msad_user_account_control_mapper.md b/docs/resources/ldap_msad_user_account_control_mapper.md new file mode 100644 index 00000000..1bfac1d2 --- /dev/null +++ b/docs/resources/ldap_msad_user_account_control_mapper.md @@ -0,0 +1,64 @@ +--- +page_title: "keycloak_ldap_msad_user_account_control_mapper Resource" +--- + +# keycloak\_ldap\_msad\_user\_account\_control\_mapper Resource + +Allows for creating and managing MSAD user account control mappers for Keycloak +users federated via LDAP. + +The MSAD (Microsoft Active Directory) user account control mapper is specific +to LDAP user federation providers that are pulling from AD, and it can propagate +AD user state to Keycloak in order to enforce settings like expired passwords +or disabled accounts. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "ad" + realm_id = keycloak_realm.realm.id + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "objectGUID" + user_object_classes = [ + "person", + "organizationalPerson", + "user" + ] + connection_url = "ldap://my-ad-server" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" +} + +resource "keycloak_ldap_msad_user_account_control_mapper" "msad_user_account_control_mapper" { + realm_id = keycloak_realm.realm.id + ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id + name = "msad-user-account-control-mapper" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this LDAP mapper will exist in. +- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. +- `name` - (Required) Display name of this mapper when displayed in the console. +- `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. + +## Import + +LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. +The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + +Example: + +```bash +$ terraform import keycloak_ldap_msad_user_account_control_mapper.msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +``` diff --git a/docs/resources/ldap_user_attribute_mapper.md b/docs/resources/ldap_user_attribute_mapper.md new file mode 100644 index 00000000..88ee3502 --- /dev/null +++ b/docs/resources/ldap_user_attribute_mapper.md @@ -0,0 +1,69 @@ +--- +page_title: "keycloak_ldap_user_attribute_mapper Resource" +--- + +# keycloak\_ldap\_user\_attribute\_mapper Resource + +Allows for creating and managing user attribute mappers for Keycloak users +federated via LDAP. + +The LDAP user attribute mapper can be used to map a single LDAP attribute +to an attribute on the Keycloak user model. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "openldap" + realm_id = keycloak_realm.realm.id + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "entryDN" + user_object_classes = [ + "simpleSecurityObject", + "organizationalRole" + ] + + connection_url = "ldap://openldap" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" +} + +resource "keycloak_ldap_user_attribute_mapper" "ldap_user_attribute_mapper" { + realm_id = keycloak_realm.realm.id + ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id + name = "user-attribute-mapper" + + user_model_attribute = "foo" + ldap_attribute = "bar" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this LDAP mapper will exist in. +- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. +- `name` - (Required) Display name of this mapper when displayed in the console. +- `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. +- `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. +- `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. +- `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. +- `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. + +## Import + +LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. +The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. + +Example: + +```bash +$ terraform import keycloak_ldap_user_attribute_mapper.ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +``` diff --git a/docs/resources/ldap_user_federation.md b/docs/resources/ldap_user_federation.md new file mode 100644 index 00000000..c09c40d0 --- /dev/null +++ b/docs/resources/ldap_user_federation.md @@ -0,0 +1,97 @@ +--- +page_title: "keycloak_ldap_user_federation Resource" +--- + +# keycloak\_ldap\_user\_federation Resource + +Allows for creating and managing LDAP user federation providers within Keycloak. + +Keycloak can use an LDAP user federation provider to federate users to Keycloak +from a directory system such as LDAP or Active Directory. Federated users +will exist within the realm and will be able to log in to clients. Federated +users can have their attributes defined using mappers. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_ldap_user_federation" "ldap_user_federation" { + name = "openldap" + realm_id = keycloak_realm.realm.id + enabled = true + + username_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + uuid_ldap_attribute = "entryDN" + user_object_classes = [ + "simpleSecurityObject", + "organizationalRole" + ] + connection_url = "ldap://openldap" + users_dn = "dc=example,dc=org" + bind_dn = "cn=admin,dc=example,dc=org" + bind_credential = "admin" + + connection_timeout = "5s" + read_timeout = "10s" + + kerberos { + kerberos_realm = "FOO.LOCAL" + server_principal = "HTTP/host.foo.com@FOO.LOCAL" + keytab = "/etc/host.keytab" + } +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that this provider will provide user federation for. +- `name` - (Required) Display name of the provider when displayed in the console. +- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. +- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. +- `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. +- `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. +- `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. +- `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. +- `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. +- `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. +- `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. +- `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. +- `connection_url` - (Required) Connection URL to the LDAP server. +- `users_dn` - (Required) Full DN of LDAP tree where your users are. +- `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. +- `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. +- `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. +- `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: + - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. + - `SUBTREE`: Search entire LDAP subtree. +- `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. +- `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: + - `ALWAYS` - Always use the truststore SPI for LDAP connections. + - `NEVER` - Never use the truststore SPI for LDAP connections. + - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. +- `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). +- `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). +- `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. +- `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. +- `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. +- `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. +- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. +- `kerberos` - (Optional) A block containing the kerberos settings. + - `kerberos_realm` - (Required) The name of the kerberos realm, e.g. FOO.LOCAL. + - `server_principal` - (Required) The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'. + - `key_tab` - (Required) Path to the kerberos keytab file on the server with credentials of the service principal. + - `use_kerberos_for_password_authentication` - (Optional) Use kerberos login module instead of ldap service api. Defaults to `false`. + +## Import + +LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. +The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: + +```bash +$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 +``` diff --git a/docs/resources/oidc_google_identity_provider.md b/docs/resources/oidc_google_identity_provider.md new file mode 100644 index 00000000..e5c5f0f0 --- /dev/null +++ b/docs/resources/oidc_google_identity_provider.md @@ -0,0 +1,62 @@ +--- +page_title: "keycloak_oidc_google_identity_provider Resource" +--- + +# keycloak\_oidc\_google\_identity\_provider Resource + +Allows for creating and managing OIDC Identity Providers within Keycloak. + +OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_oidc_google_identity_provider" "google" { + realm = keycloak_realm.realm.id + client_id = var.google_identity_provider_client_id + client_secret = var.google_identity_provider_client_secret + trust_email = true + hosted_domain = "example.com" + + extra_config = { + "syncMode" = "IMPORT" + } +} +``` + +## Argument Reference + +- `realm` - (Required) The name of the realm. This is unique across Keycloak. +- `client_id` - (Required) The client or client identifier registered within the identity provider. +- `client_secret` - (Required) The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format. +- `enabled` - (Optional) When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`. +- `store_token` - (Optional) When `true`, tokens will be stored after authenticating users. Defaults to `true`. +- `add_read_token_role_on_create` - (Optional) When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. +- `link_only` - (Optional) When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. +- `trust_email` - (Optional) When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. +- `first_broker_login_flow_alias` - (Optional) The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`. +- `post_broker_login_flow_alias` - (Optional) The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used. +- `provider_id` - (Optional) The ID of the identity provider to use. Defaults to `google`, which should be used unless you have extended Keycloak and provided your own implementation. +- `hosted_domain` - (Optional) Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When `*` is entered, an account from any domain can be used. +- `use_user_ip_param` - (Optional) Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service. +- `request_refresh_token` - (Optional) Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline. +- `default_scopes` - (Optional) The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid profile email`. +- `accepts_prompt_none_forward_from_client` - (Optional) When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`. +- `disable_user_info` - (Optional) When `true`, disables the usage of Google's user info service to obtain additional user information. Defaults to `false`. +- `hide_on_login_page` - (Optional) When `true`, this identity provider will be hidden on the login page. Defaults to `false`. +- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider. + +## Attribute Reference + +- `internal_id` - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation. +- `alias` - (Computed) The alias for the Google identity provider. +- `display_name` - (Computed) Display name for the Google identity provider in the GUI. + +## Import + +This resource does not yet support importing. diff --git a/docs/resources/oidc_identity_provider.md b/docs/resources/oidc_identity_provider.md new file mode 100644 index 00000000..9e8d01bc --- /dev/null +++ b/docs/resources/oidc_identity_provider.md @@ -0,0 +1,75 @@ +--- +page_title: "keycloak_oidc_identity_provider Resource" +--- + +# keycloak\_oidc\_identity\_provider Resource + +Allows for creating and managing OIDC Identity Providers within Keycloak. + +OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_oidc_identity_provider" "realm_identity_provider" { + realm = keycloak_realm.realm.id + alias = "my-idp" + authorization_url = "https://authorizationurl.com" + client_id = "clientID" + client_secret = "clientSecret" + token_url = "https://tokenurl.com" + + extra_config = { + "clientAuthMethod" = "client_secret_post" + } +} +``` + +## Argument Reference + +- `realm` - (Required) The name of the realm. This is unique across Keycloak. +- `alias` - (Required) The alias uniquely identifies an identity provider and it is also used to build the redirect uri. +- `authorization_url` - (Required) The Authorization Url. +- `client_id` - (Required) The client or client identifier registered within the identity provider. +- `client_secret` - (Required) The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format. +- `token_url` - (Required) The Token URL. +- `display_name` - (Optional) Display name for the identity provider in the GUI. +- `enabled` - (Optional) When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`. +- `store_token` - (Optional) When `true`, tokens will be stored after authenticating users. Defaults to `true`. +- `add_read_token_role_on_create` - (Optional) When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. +- `link_only` - (Optional) When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. +- `trust_email` - (Optional) When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. +- `first_broker_login_flow_alias` - (Optional) The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`. +- `post_broker_login_flow_alias` - (Optional) The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used. +- `provider_id` - (Optional) The ID of the identity provider to use. Defaults to `oidc`, which should be used unless you have extended Keycloak and provided your own implementation. +- `backchannel_supported` - (Optional) Does the external IDP support backchannel logout? Defaults to `true`. +- `validate_signature` - (Optional) Enable/disable signature validation of external IDP signatures. Defaults to `false`. +- `user_info_url` - (Optional) User Info URL. +- `jwks_url` - (Optional) JSON Web Key Set URL. +- `hide_on_login_page` - (Optional) When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`. +- `logout_url` - (Optional) The Logout URL is the end session endpoint to use to logout user from external identity provider. +- `login_hint` - (Optional) Pass login hint to identity provider. +- `ui_locales` - (Optional) Pass current locale to identity provider. Defaults to `false`. +- `accepts_prompt_none_forward_from_client` (Optional) When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`. +- `default_scopes` - (Optional) The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`. +- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider. + - `clientAuthMethod` (Optional) The client authentication method. Since Keycloak 8, this is a required attribute if OIDC provider is created using the Keycloak GUI. It accepts the values `client_secret_post` (Client secret sent as post), `client_secret_basic` (Client secret sent as basic auth), `client_secret_jwt` (Client secret as jwt) and `private_key_jwt ` (JTW signed with private key) + +## Attribute Reference + +- `internal_id` - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation. + +## Import + +Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. + +Example: + +```bash +$ terraform import keycloak_oidc_identity_provider.realm_identity_provider my-realm/my-idp +``` diff --git a/docs/resources/openid_audience_protocol_mapper.md b/docs/resources/openid_audience_protocol_mapper.md new file mode 100644 index 00000000..24eb8112 --- /dev/null +++ b/docs/resources/openid_audience_protocol_mapper.md @@ -0,0 +1,86 @@ +--- +page_title: "keycloak_openid_audience_protocol_mapper Resource" +--- + +# keycloak\_openid\_audience\_protocol\_mapper Resource + +Allows for creating and managing audience protocol mappers within Keycloak. + +Audience protocol mappers allow you add audiences to the `aud` claim within issued tokens. The audience can be a custom +string, or it can be mapped to the ID of a pre-existing client. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "audience-mapper" + + included_custom_audience = "foo" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "test-client-scope" +} + +resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "audience-mapper" + + included_custom_audience = "foo" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `included_client_audience` - (Optional) A client ID to include within the token's `aud` claim. Conflicts with `included_custom_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. +- `included_custom_audience` - (Optional) A custom audience to include within the token's `aud` claim. Conflicts with `included_client_audience`. One of `included_client_audience` or `included_custom_audience` must be specified. +- `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_client.md b/docs/resources/openid_client.md new file mode 100644 index 00000000..026a0864 --- /dev/null +++ b/docs/resources/openid_client.md @@ -0,0 +1,91 @@ +--- +page_title: "keycloak_openid_client Resource" +--- + +# keycloak\_openid\_client Resource + +Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. + +Clients are entities that can use Keycloak for user authentication. Typically, +clients are applications that redirect users to Keycloak for authentication +in order to take advantage of Keycloak's user sessions for SSO. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "test-client" + + name = "test client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] + + login_theme = "keycloak" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client is attached to. +- `client_id` - (Required) The Client ID for this client, referenced in the URI during authentication and in issued tokens. +- `name` - (Optional) The display name of this client in the GUI. +- `enabled` - (Optional) When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. +- `description` - (Optional) The description of this client in the GUI. +- `access_type` - (Required) Specifies the type of client, which can be one of the following: + - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. + This client should be used for applications using the Authorization Code or Client Credentials grant flows. + - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect + URIs for security. This client should be used for applications using the Implicit grant flow. + - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. +- `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. +- `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. +- `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. +- `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. +- `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. +- `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple +wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` +is set to `true`. +- `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. +- `root_url` - (Optional) When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. +- `admin_url` - (Optional) URL to the admin interface of the client. +- `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. +- `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. +- `full_scope_allowed` - (Optional) Allow to include all roles mappings in the access token. +- `access_token_lifespan` - (Optional) The amount of time in seconds before an access token expires. This will override the default for the realm. +- `consent_required` - (Optional) When `true`, users have to consent to client access. +- `authentication_flow_binding_overrides` - (Optional) Override realm authentication flow bindings + - `browser_id` - (Optional) Browser flow id, (flow needs to exist) + - `direct_grant_id` - (Optional) Direct grant flow id (flow needs to exist) +- `login_theme` - (Optional) The client login theme. This will override the default theme for the realm. +- `exclude_session_state_from_auth_response` - (Optional) When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response. +- `authorization` - (Optional) When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments: + - `policy_enforcement_mode` - (Required) Dictates how policies are enforced when evaluating authorization requests. Can be one of `ENFORCING`, `PERMISSIVE`, or `DISABLED`. + - `allow_remote_resource_management` - (Optional) When `true`, resources can be managed remotely by the resource server. Defaults to `false`. + - `keep_defaults` - (Optional) When `true`, defaults set by Keycloak will be respected. Defaults to `false`. + +## Attributes Reference + +- `service_account_user_id` - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. +- `resource_server_id` - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute). + + +## Import + +Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak +assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. + +Example: + +```bash +$ terraform import keycloak_openid_client.openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 +``` diff --git a/docs/resources/openid_client_default_scopes.md b/docs/resources/openid_client_default_scopes.md new file mode 100644 index 00000000..ab3d28ba --- /dev/null +++ b/docs/resources/openid_client_default_scopes.md @@ -0,0 +1,64 @@ +--- +page_title: "keycloak_openid_client_default_scopes Resource" +--- + +# keycloak\_openid\_client\_default\_scopes Resource + +Allows for managing a Keycloak client's default client scopes. A default scope that is attached to a client using the +OpenID Connect protocol will automatically use the protocol mappers defined within that scope to build claims for this +client regardless of the provided OAuth2.0 `scope` parameter. + +Note that this resource attempts to be an **authoritative** source over default scopes for a Keycloak client using the +OpenID Connect protocol. This means that once Terraform controls a particular client's default scopes, it will attempt to +remove any default scopes that were attached manually, and it will attempt to add any default scopes that were detached +manually. + +By default, Keycloak sets the `profile`, `email`, `roles`, and `web-origins` scopes as default scopes for every newly +created client. If you create this resource for the first time and do not include these scopes, a following run of +`terraform plan` will result in changes. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + client_id = "test-client" + + access_type = "CONFIDENTIAL" +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "test-client-scope" +} + +resource "keycloak_openid_client_default_scopes" "client_default_scopes" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client.id + + default_scopes = [ + "profile", + "email", + "roles", + "web-origins", + keycloak_openid_client_scope.client_scope.name, + ] +} + +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client and scopes exists in. +- `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. +- `default_scopes` - (Required) An array of client scope names to attach to this client. + +## Import + +This resource does not support import. Instead of importing, feel free to create this resource +as if it did not already exist on the server. diff --git a/docs/resources/openid_client_optional_scopes.md b/docs/resources/openid_client_optional_scopes.md new file mode 100644 index 00000000..a946b619 --- /dev/null +++ b/docs/resources/openid_client_optional_scopes.md @@ -0,0 +1,64 @@ +--- +page_title: "keycloak_openid_client_optional_scopes Resource" +--- + +# keycloak\_openid\_client\_optional\_scopes Resource + +Allows for managing a Keycloak client's optional client scopes. An optional scope that is attached to a client using the +OpenID Connect protocol will allow a client to request it using the OAuth 2.0 `scope` parameter. When requested, the scope's +protocol mappers defined within that scope will be used to build claims for this client. + +Note that this resource attempts to be an **authoritative** source over optional scopes for a Keycloak client using the +OpenID Connect protocol. This means that once Terraform controls a particular client's optional scopes, it will attempt +to remove any optional scopes that were attached manually, and it will attempt to add any optional scopes that were detached +manually. + +By default, Keycloak sets the `address`, `phone`, `offline_access`, and `microprofile-jwt` scopes as optional scopes for +every newly created client. If you create this resource for the first time and do not include these scopes, a following +run of `terraform plan` will result in changes. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + client_id = "test-client" + + access_type = "CONFIDENTIAL" +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "test-client-scope" +} + +resource "keycloak_openid_client_optional_scopes" "client_optional_scopes" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client.id + + optional_scopes = [ + "address", + "phone", + "offline_access", + "microprofile-jwt", + keycloak_openid_client_scope.client_scope.name + ] +} + +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client and scopes exists in. +- `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. +- `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. + +## Import + +This resource does not support import. Instead of importing, feel free to create this resource +as if it did not already exist on the server. diff --git a/docs/resources/openid_client_scope.md b/docs/resources/openid_client_scope.md new file mode 100644 index 00000000..61d68124 --- /dev/null +++ b/docs/resources/openid_client_scope.md @@ -0,0 +1,47 @@ +--- +page_title: "keycloak_openid_client_scope Resource" +--- + +# keycloak\_openid\_client\_scope Resource + +Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol. + +Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. They can also +be used by clients to conditionally request claims or roles for a user based on the OAuth 2.0 `scope` parameter. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "openid_client_scope" { + realm_id = keycloak_realm.realm.id + name = "groups" + description = "When requested, this scope will map a user's group memberships to a claim" + include_in_token_scope = true + gui_order = 1 +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client scope belongs to. +- `name` - (Required) The display name of this client scope in the GUI. +- `description` - (Optional) The description of this client scope in the GUI. +- `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. +- `include_in_token_scope` - (Optional) When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. +- `gui_order` - (Optional) Specify order of the client scope in GUI (such as in Consent page) as integer. + +## Import + +Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak +assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. + +Example: + +```bash +$ terraform import keycloak_openid_client_scope.openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 +``` diff --git a/docs/resources/openid_client_service_account_realm_role.md b/docs/resources/openid_client_service_account_realm_role.md new file mode 100644 index 00000000..1dbf4eda --- /dev/null +++ b/docs/resources/openid_client_service_account_realm_role.md @@ -0,0 +1,54 @@ +--- +page_title: "keycloak_openid_client_service_account_realm_role Resource" +--- + +# keycloak\_openid\_client\_service\_account\_realm\_role Resource + +Allows for assigning realm roles to the service account of an openid client. +You need to set `service_accounts_enabled` to `true` for the openid client that should be assigned the role. + +If you'd like to attach client roles to a service account, please use the `keycloak_openid_client_service_account_role` +resource. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_role" "realm_role" { + realm_id = keycloak_realm.realm.id + name = "my-realm-role" +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + name = "client" + + service_accounts_enabled = true +} + +resource "keycloak_openid_client_service_account_realm_role" "client_service_account_role" { + realm_id = keycloak_realm.realm.id + service_account_user_id = keycloak_openid_client.client.service_account_user_id + role = keycloak_role.realm_role.name +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm that the client and role belong to. +- `service_account_user_id` - (Required) The id of the service account that is assigned the role (the service account of the client that "consumes" the role). +- `role` - (Required) The name of the role that is assigned. + +## Import + +This resource can be imported using the format `{{realmId}}/{{serviceAccountUserId}}/{{roleId}}`. + +Example: + +```bash +$ terraform import keycloak_openid_client_service_account_realm_role.client_service_account_role my-realm/489ba513-1ceb-49ba-ae0b-1ab1f5099ebf/c7230ab7-8e4e-4135-995d-e81b50696ad8 +``` diff --git a/docs/resources/openid_client_service_account_role.md b/docs/resources/openid_client_service_account_role.md new file mode 100644 index 00000000..a8df8b6c --- /dev/null +++ b/docs/resources/openid_client_service_account_role.md @@ -0,0 +1,65 @@ +--- +page_title: "keycloak_openid_client_service_account_role Resource" +--- + +# keycloak\_openid\_client\_service\_account\_role Resource + +Allows for assigning client roles to the service account of an openid client. +You need to set `service_accounts_enabled` to `true` for the openid client that should be assigned the role. + +If you'd like to attach realm roles to a service account, please use the `keycloak_openid_client_service_account_realm_role` +resource. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +// client1 provides a role to other clients +resource "keycloak_openid_client" "client1" { + realm_id = keycloak_realm.realm.id + name = "client1" +} + +resource "keycloak_role" "client1_role" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.client1.id + name = "my-client1-role" + description = "A role that client1 provides" +} + +// client2 is assigned the role of client1 +resource "keycloak_openid_client" "client2" { + realm_id = keycloak_realm.realm.id + name = "client2" + + service_accounts_enabled = true +} + +resource "keycloak_openid_client_service_account_role" "client2_service_account_role" { + realm_id = keycloak_realm.realm.id + service_account_user_id = keycloak_openid_client.client2.service_account_user_id + client_id = keycloak_openid_client.client1.id + role = keycloak_role.client1_role.name +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm the clients and roles belong to. +- `service_account_user_id` - (Required) The id of the service account that is assigned the role (the service account of the client that "consumes" the role). +- `client_id` - (Required) The id of the client that provides the role. +- `role` - (Required) The name of the role that is assigned. + +## Import + +This resource can be imported using the format `{{realmId}}/{{serviceAccountUserId}}/{{clientId}}/{{roleId}}`. + +Example: + +```bash +$ terraform import keycloak_openid_client_service_account_role.client2_service_account_role my-realm/489ba513-1ceb-49ba-ae0b-1ab1f5099ebf/baf01820-0f8b-4494-9be2-fb3bc8a397a4/c7230ab7-8e4e-4135-995d-e81b50696ad8 +``` diff --git a/docs/resources/openid_full_name_protocol_mapper.md b/docs/resources/openid_full_name_protocol_mapper.md new file mode 100644 index 00000000..e7fa759e --- /dev/null +++ b/docs/resources/openid_full_name_protocol_mapper.md @@ -0,0 +1,83 @@ +--- +page_title: "keycloak_openid_full_name_protocol_mapper Resource" +--- + +# keycloak\_openid\_full\_name\_protocol\_mapper Resource + +Allows for creating and managing full name protocol mappers within Keycloak. + +Full name protocol mappers allow you to map a user's first and last name to the OpenID Connect `name` claim in a token. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "full-name-mapper" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "full-name-mapper" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. +- `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_group_membership_protocol_mapper.md b/docs/resources/openid_group_membership_protocol_mapper.md new file mode 100644 index 00000000..5ff2d635 --- /dev/null +++ b/docs/resources/openid_group_membership_protocol_mapper.md @@ -0,0 +1,89 @@ +--- +page_title: "keycloak_openid_group_membership_protocol_mapper Resource" +--- + +# keycloak_openid_group_membership_protocol_mapper Resource + +Allows for creating and managing group membership protocol mappers within Keycloak. + +Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "group-membership-mapper" + + claim_name = "groups" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "group-membership-mapper" + + claim_name = "groups" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `claim_name` - (Required) The name of the claim to insert into a token. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. +- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. +- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_hardcoded_claim_protocol_mapper.md b/docs/resources/openid_hardcoded_claim_protocol_mapper.md new file mode 100644 index 00000000..6afe4748 --- /dev/null +++ b/docs/resources/openid_hardcoded_claim_protocol_mapper.md @@ -0,0 +1,92 @@ +--- +page_title: "keycloak_openid_hardcoded_claim_protocol_mapper Resource" +--- + +# keycloak\_openid\_hardcoded\_claim\_protocol\_mapper Resource + +Allows for creating and managing hardcoded claim protocol mappers within Keycloak. + +Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "hardcoded-claim-mapper" + + claim_name = "foo" + claim_value = "bar" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "hardcoded-claim-mapper" + + claim_name = "foo" + claim_value = "bar" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `claim_name` - (Required) The name of the claim to insert into a token. +- `claim_value` - (Required) The hardcoded value of the claim. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. +- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. +- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_hardcoded_role_protocol_mapper.md b/docs/resources/openid_hardcoded_role_protocol_mapper.md new file mode 100644 index 00000000..177d9414 --- /dev/null +++ b/docs/resources/openid_hardcoded_role_protocol_mapper.md @@ -0,0 +1,93 @@ +--- +page_title: "keycloak_openid_hardcoded_role_protocol_mapper Resource" +--- + +# keycloak_openid_hardcoded_role_protocol_mapper Resource + +Allows for creating and managing hardcoded role protocol mappers within Keycloak. + +Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_role" "role" { + realm_id = keycloak_realm.realm.id + name = "my-role" +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "hardcoded-role-mapper" + role_id = keycloak_role.role.id +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_role" "role" { + realm_id = keycloak_realm.realm.id + name = "my-role" +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "hardcoded-role-mapper" + role_id = keycloak_role.role.id +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `role_id` - (Required) The ID of the role to map to an access token. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_user_attribute_protocol_mapper.md b/docs/resources/openid_user_attribute_protocol_mapper.md new file mode 100644 index 00000000..e0b4d8fb --- /dev/null +++ b/docs/resources/openid_user_attribute_protocol_mapper.md @@ -0,0 +1,94 @@ +--- +page_title: "keycloak_openid_user_attribute_protocol_mapper Resource" +--- + +# keycloak\_openid\_user\_attribute\_protocol\_mapper Resource + +Allows for creating and managing user attribute protocol mappers within Keycloak. + +User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "user-attribute-mapper" + + user_attribute = "foo" + claim_name = "bar" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "user-attribute-mapper" + + user_attribute = "foo" + claim_name = "bar" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `user_attribute` - (Required) The custom user attribute to map a claim for. +- `claim_name` - (Required) The name of the claim to insert into a token. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. +- `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. +- `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. +- `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. +- `aggregate_attributes`- (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_user_client_role_protocol_mapper.md b/docs/resources/openid_user_client_role_protocol_mapper.md new file mode 100644 index 00000000..6257a50e --- /dev/null +++ b/docs/resources/openid_user_client_role_protocol_mapper.md @@ -0,0 +1,90 @@ +--- +page_title: "keycloak_openid_user_client_role_protocol_mapper Resource" +--- + +# keycloak\_openid\_user\_client\_role\_protocol\_mapper Resource + +Allows for creating and managing user client role protocol mappers within Keycloak. + +User client role protocol mappers allow you to define a claim containing the list of a client roles. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "user-client-role-mapper" + claim_name = "foo" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "user-client-role-mapper" + claim_name = "foo" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `claim_name` - (Required) The name of the claim to insert into a token. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. +- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. +- `client_id_for_role_mappings` - (Optional) The Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token. +- `client_role_prefix` - (Optional) A prefix for each Client Role. +- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. +- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_user_client_role_protocol_mapper.user_client_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_user_client_role_protocol_mapper.user_client_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_user_property_protocol_mapper.md b/docs/resources/openid_user_property_protocol_mapper.md new file mode 100644 index 00000000..91be752e --- /dev/null +++ b/docs/resources/openid_user_property_protocol_mapper.md @@ -0,0 +1,93 @@ +--- +page_title: "keycloak_openid_user_property_protocol_mapper Resource" +--- + +# keycloak\_openid\_user\_property\_protocol\_mapper Resource + +Allows for creating and managing user property protocol mappers within Keycloak. + +User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in +a token. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "user-property-mapper" + + user_property = "email" + claim_name = "email" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "test-mapper" + + user_property = "email" + claim_name = "email" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `user_property` - (Required) The built in user property (such as email) to map a claim for. +- `claim_name` - (Required) The name of the claim to insert into a token. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. +- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. +- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. +- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_user_realm_role_protocol_mapper.md b/docs/resources/openid_user_realm_role_protocol_mapper.md new file mode 100644 index 00000000..80bad425 --- /dev/null +++ b/docs/resources/openid_user_realm_role_protocol_mapper.md @@ -0,0 +1,91 @@ +--- +page_title: "keycloak_openid_user_realm_role_protocol_mapper Resource" +--- + +# keycloak\_openid\_user\_realm\_role\_protocol\_mapper Resource + +Allows for creating and managing user realm role protocol mappers within Keycloak. + +User realm role protocol mappers allow you to define a claim containing the list of the realm roles. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "user-realm-role-mapper" + + claim_name = "foo" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "test-client-scope" +} + +resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "user-realm-role-mapper" + + claim_name = "foo" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `claim_name` - (Required) The name of the claim to insert into a token. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. +- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. +- `realm_role_prefix` - (Optional) A prefix for each Realm Role. +- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. +- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/openid_user_session_note_protocol_mapper.md b/docs/resources/openid_user_session_note_protocol_mapper.md new file mode 100644 index 00000000..3746766f --- /dev/null +++ b/docs/resources/openid_user_session_note_protocol_mapper.md @@ -0,0 +1,93 @@ +--- +page_title: "keycloak_openid_user_session_note_protocol_mapper Resource" +--- + +# keycloak\_openid\_user\_session\_note\_protocol\_mapper Resource + +Allows for creating and managing user session note protocol mappers within Keycloak. + +User session note protocol mappers map a custom user session note to a token claim. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage (Client) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_openid_client.openid_client.id + name = "user-session-note-mapper" + + claim_name = "foo" + claim_value_type = "String" + session_note_label = "bar" +} +``` + +## Example Usage (Client Scope) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" { + realm_id = keycloak_realm.realm.id + client_scope_id = keycloak_openid_client_scope.client_scope.id + name = "user-session-note-mapper" + + claim_name = "foo" + claim_value_type = "String" + session_note_label = "bar" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `claim_name` - (Required) The name of the claim to insert into a token. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. +- `session_note_label` - (Optional) String value being the name of stored user session note within the UserSessionModel.note map. +- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. +- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_openid_user_session_note_protocol_mapper.user_session_note_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_openid_user_session_note_protocol_mapper.user_session_note_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/realm.md b/docs/resources/realm.md new file mode 100644 index 00000000..cb3b432e --- /dev/null +++ b/docs/resources/realm.md @@ -0,0 +1,205 @@ +--- +page_title: "keycloak_realm Resource" +--- + +# keycloak\_realm Resource + +Allows for creating and managing Realms within Keycloak. + +A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated +from multiple sources. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true + display_name = "my realm" + display_name_html = "my realm" + + login_theme = "base" + + access_code_lifespan = "1h" + + ssl_required = "external" + password_policy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername" + attributes = { + mycustomAttribute = "myCustomValue" + } + + smtp_server { + host = "smtp.example.com" + from = "example@example.com" + + auth { + username = "tom" + password = "password" + } + } + + internationalization { + supported_locales = [ + "en", + "de", + "es" + ] + default_locale = "en" + } + + security_defenses { + headers { + x_frame_options = "DENY" + content_security_policy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" + content_security_policy_report_only = "" + x_content_type_options = "nosniff" + x_robots_tag = "none" + x_xss_protection = "1; mode=block" + strict_transport_security = "max-age=31536000; includeSubDomains" + } + brute_force_detection { + permanent_lockout = false + max_login_failures = 30 + wait_increment_seconds = 60 + quick_login_check_milli_seconds = 1000 + minimum_quick_login_wait_seconds = 60 + max_failure_wait_seconds = 900 + failure_reset_time_seconds = 43200 + } + } +} +``` + +## Argument Reference + +- `realm` - (Required) The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak. +- `enabled` - (Optional) When `false`, users and clients will not be able to access this realm. Defaults to `true`. +- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. +- `display_name_html` - (Optional) The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. +- `user_managed_access` - (Optional) When `true`, users are allowed to manage their own resources. Defaults to `false`. +- `attributes` - (Optional) A map of custom attributes to add to the realm. + +### Login Settings + +The following arguments are all booleans, and can be found in the "Login" tab within the realm settings. +If any of these arguments are not specified, they will default to Keycloak's default settings. + +- `registration_allowed` - (Optional) When true, user registration will be enabled, and a link for registration will be displayed on the login page. +- `registration_email_as_username` - (Optional) When true, the user's email will be used as their username during registration. +- `edit_username_allowed` - (Optional) When true, the username field is editable. +- `reset_password_allowed` - (Optional) When true, a "forgot password" link will be displayed on the login page. +- `remember_me` - (Optional) When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts. +- `verify_email` - (Optional) When true, users are required to verify their email address after registration and after email address changes. +- `login_with_email_allowed` - (Optional) When true, users may log in with their email address. +- `duplicate_emails_allowed` - (Optional) When true, multiple users will be allowed to have the same email address. This argument must be set to `false` if `login_with_email_allowed` is set to `true`. +- `ssl_required` - (Optional) Can be one of following values: 'none, 'external' or 'all' + +### Themes + +The following arguments can be used to configure themes for the realm. Custom themes can be specified here. +If any of these arguments are not specified, they will default to Keycloak's default settings. Typically, the `keycloak` theme is used by default. + +- `login_theme` - (Optional) Used for the login, forgot password, and registration pages. +- `account_theme` - (Optional) Used for account management pages. +- `admin_theme` - (Optional) Used for the admin console. +- `email_theme` - (Optional) Used for emails that are sent by Keycloak. + +### Tokens + +The following arguments can be found in the "Tokens" tab within the realm settings. Each of these settings are top level arguments for the `keycloak_realm` resource. + +- `default_signature_algorithm` - (Optional) Default algorithm used to sign tokens for the realm. +- `revoke_refresh_token` - (Optional) If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused. +- `refresh_token_max_reuse` - (Optional) Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused. + +The arguments below should be specified as [Go duration strings](https://golang.org/pkg/time/#Duration.String). They will default to Keycloak's default settings. + +- `sso_session_idle_timeout` - (Optional) The amount of time a session can be idle before it expires. +- `sso_session_max_lifespan` - (Optional) The maximum amount of time before a session expires regardless of activity. +- `offline_session_idle_timeout` - (Optional) The amount of time an offline session can be idle before it expires. +- `offline_session_max_lifespan` - (Optional) The maximum amount of time before an offline session expires regardless of activity. +- `access_token_lifespan` - (Optional) The amount of time an access token can be used before it expires. +- `access_token_lifespan_for_implicit_flow` - (Optional) The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires. +- `access_code_lifespan` - (Optional) The maximum amount of time a client has to finish the authorization code flow. +- `access_code_lifespan_login` - (Optional) The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted. +- `access_code_lifespan_user_action` - (Optional) The maximum amount of time a user has to complete login related actions, such as updating a password. +- `action_token_generated_by_user_lifespan` - (Optional) The maximum time a user has to use a user-generated permit before it expires. +- `action_token_generated_by_admin_lifespan` - (Optional) The maximum time a user has to use an admin-generated permit before it expires. + +### SMTP + +The `smtp_server` block can be used to configure the realm's SMTP settings, which can be found in the "Email" tab in the GUI. +This block supports the following arguments: + +- `host` - (Required) The host of the SMTP server. +- `port` - (Optional) The port of the SMTP server (defaults to 25). +- `from` - (Required) The email address for the sender. +- `from_display_name` - (Optional) The display name of the sender email address. +- `reply_to` - (Optional) The "reply to" email address. +- `reply_to_display_name` - (Optional) The display name of the "reply to" email address. +- `envelope_from` - (Optional) The email address uses for bounces. +- `starttls` - (Optional) When `true`, enables StartTLS. Defaults to `false`. +- `ssl` - (Optional) When `true`, enables SSL. Defaults to `false`. +- `auth` - (Optional) Enables authentication to the SMTP server. This block supports the following arguments: + - `username` - (Required) The SMTP server username. + - `password` - (Required) The SMTP server password. + +### Internationalization + +Internationalization support can be configured by using the `internationalization` block, which supports the following arguments: + +- `supported_locales` - (Required) A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. +- `default_locale` - (Required) The locale to use by default. This locale code must be present within the `supported_locales` list. + +### Security Defenses + +The `security_defenses` argument can be used to configure the realm's security defenses via the `headers` and `brute_force_detection` sub-blocks. + +The `headers` block supports the following arguments: + +- `x_frame_options` - (Optional) Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) +- `content_security_policy` - (Optional) Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. +- `content_security_policy_report_only` - (Optional) Used for testing Content Security Policies. +- `x_content_type_options` - (Optional) Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type +- `x_robots_tag` - (Optional) Prevent pages from appearing in search engines. +- `x_xss_protection` - (Optional) This header configures the Cross-site scripting (XSS) filter in your browser. +- `strict_transport_security` - (Optional) The Script-Transport-Security HTTP header tells browsers to always use HTTPS. + +The `brute_force_detection` block supports the following arguments: + +- `permanent_lockout` - (Optional) When `true`, this will lock the user permanently when the user exceeds the maximum login failures. +- `max_login_failures` - (Optional) How many failures before wait is triggered. +- `wait_increment_seconds` - (Optional) This represents the amount of time a user should be locked out when the login failure threshold has been met. +- `quick_login_check_milli_seconds` - (Optional) Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. +- `minimum_quick_login_wait_seconds` - (Optional) How long to wait after a quick login failure. +- `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. +- `failure_reset_time_seconds` - (Optional) When will failure count be reset? + +### Authentication Settings + +The following authentication settings can also be configured. Note that these are top level arguments for the `keycloak_realm` resource. + +- `password_policy` - (Optional) The password policy for users within the realm. + +The arguments below can be used to configure authentication flow bindings: + +- `browser_flow` - (Optional) The desired flow for browser authentication. Defaults to `browser`. +- `registration_flow` - (Optional) The desired flow for user registration. Defaults to `registration`. +- `direct_grant_flow` - (Optional) The desired flow for direct access authentication. Defaults to `direct grant`. +- `reset_credentials_flow` - (Optional) The desired flow to use when a user attempts to reset their credentials. Defaults to `reset credentials`. +- `client_authentication_flow` - (Optional) The desired flow for client authentication. Defaults to `clients`. +- `docker_authentication_flow` - (Optional) The desired flow for Docker authentication. Defaults to `docker auth`. + +## Attributes Reference + +- `internal_id` - (Computed) When importing realms created outside of this terraform provider, they could use generated arbitrary IDs for the internal realm id. Realms created by this provider always use the realm's name for its internal id. + +## Import + +Realms can be imported using their name. + +Example: + +```bash +$ terraform import keycloak_realm.realm my-realm +``` diff --git a/docs/resources/realm_events.md b/docs/resources/realm_events.md new file mode 100644 index 00000000..22852ca0 --- /dev/null +++ b/docs/resources/realm_events.md @@ -0,0 +1,50 @@ +--- +page_title: "keycloak_realm_events Resource" +--- + +# keycloak_realm_events Resource + +Allows for managing Realm Events settings within Keycloak. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_realm_events" "realm_events" { + realm_id = keycloak_realm.realm.id + + events_enabled = true + events_expiration = 3600 + + admin_events_enabled = true + admin_events_details_enabled = true + + # When omitted or left empty, keycloak will enable all event types + enabled_event_types = [ + "LOGIN", + "LOGOUT", + ] + + events_listeners = [ + "jboss-logging", # keycloak enables the 'jboss-logging' event listener by default. + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The name of the realm the event settings apply to. +- `admin_events_enabled` - (Optional) When `true`, admin events are saved to the database, making them available through the admin console. Defaults to `false`. +- `admin_events_details_enabled` - (Optional) When `true`, saved admin events will included detailed information for create/update requests. Defaults to `false`. +- `events_enabled` - (Optional) When `true`, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. +- `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. +- `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. +- `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. + +## Import + +This resource currently does not support importing. diff --git a/docs/resources/role.md b/docs/resources/role.md new file mode 100644 index 00000000..d17545e5 --- /dev/null +++ b/docs/resources/role.md @@ -0,0 +1,138 @@ +--- +page_title: "keycloak_role Resource" +--- + +# keycloak\_role Resource + +Allows for creating and managing roles within Keycloak. + +Roles allow you define privileges within Keycloak and map them to users and groups. + +## Example Usage (Realm role) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_role" "realm_role" { + realm_id = keycloak_realm.realm.id + name = "my-realm-role" + description = "My Realm Role" +} +``` + +## Example Usage (Client role) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_role" "client_role" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_client.openid_client.id + name = "my-client-role" + description = "My Client Role" +} +``` + +## Example Usage (Composite role) + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +# realm roles + +resource "keycloak_role" "create_role" { + realm_id = keycloak_realm.realm.id + name = "create" +} + +resource "keycloak_role" "read_role" { + realm_id = keycloak_realm.realm.id + name = "read" +} + +resource "keycloak_role" "update_role" { + realm_id = keycloak_realm.realm.id + name = "update" +} + +resource "keycloak_role" "delete_role" { + realm_id = keycloak_realm.realm.id + name = "delete" +} + +# client role + +resource "keycloak_openid_client" "openid_client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + + name = "client" + enabled = true + + access_type = "CONFIDENTIAL" + valid_redirect_uris = [ + "http://localhost:8080/openid-callback" + ] +} + +resource "keycloak_role" "client_role" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_client.openid_client.id + name = "my-client-role" + description = "My Client Role" +} + +resource "keycloak_role" "admin_role" { + realm_id = keycloak_realm.realm.id + name = "admin" + composite_roles = [ + keycloak_role.create_role.id, + keycloak_role.read_role.id, + keycloak_role.update_role.id, + keycloak_role.delete_role.id, + keycloak_role.client_role.id, + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this role exists within. +- `name` - (Required) The name of the role +- `client_id` - (Optional) When specified, this role will be created as a client role attached to the client with the provided ID +- `description` - (Optional) The description of the role +- `composite_roles` - (Optional) When specified, this role will be a composite role, composed of all roles that have an ID present within this list. + + +## Import + +Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where `role_id` is the unique ID that Keycloak assigns +to the role. The ID is not easy to find in the GUI, but it appears in the URL when editing the role. + +Example: + +```bash +$ terraform import keycloak_role.role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad +``` diff --git a/docs/resources/saml_client.md b/docs/resources/saml_client.md new file mode 100644 index 00000000..1b35b862 --- /dev/null +++ b/docs/resources/saml_client.md @@ -0,0 +1,75 @@ +--- +page_title: "keycloak_saml_client Resource" +--- + +# keycloak\_saml\_client Resource + +Allows for creating and managing Keycloak clients that use the SAML protocol. + +Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users +to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_client" "saml_client" { + realm_id = keycloak_realm.realm.id + client_id = "saml-client" + name = "saml-client" + + sign_documents = false + sign_assertions = true + include_authn_statement = true + + signing_certificate = file("saml-cert.pem") + signing_private_key = file("saml-key.pem") +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client is attached to. +- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. +- `name` - (Optional) The display name of this client in the GUI. +- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. +- `description` - (Optional) The description of this client in the GUI. +- `include_authn_statement` - (Optional) When `true`, an `AuthnStatement` will be included in the SAML response. +- `sign_documents` - (Optional) When `true`, the SAML document will be signed by Keycloak using the realm's private key. +- `sign_assertions` - (Optional) When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. +- `encrypt_assertions` - (Optional) When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. +- `client_signature_required` - (Optional) When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. +- `force_post_binding` - (Optional) When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. +- `front_channel_logout` - (Optional) When `true`, this client will require a browser redirect in order to perform a logout. +- `name_id_format` - (Optional) Sets the Name ID format for the subject. +- `force_name_id_format` - (Optional) Ignore requested NameID subject format and use the one defined in `name_id_format` instead. +- `signature_algorithm` - (Optional) The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA512", or "DSA_SHA1". +- `root_url` - (Optional) When specified, this value is prepended to all relative URLs. +- `valid_redirect_uris` - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. +- `base_url` - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client. +- `master_saml_processing_url` - (Optional) When specified, this URL will be used for all SAML requests. +- `encryption_certificate` - (Optional) If assertions for the client are encrypted, this certificate will be used for encryption. +- `signing_certificate` - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature. +- `signing_private_key` - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature. +- `idp_initiated_sso_url_name` - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO. +- `idp_initiated_sso_relay_state` - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO. +- `assertion_consumer_post_url` - (Optional) SAML POST Binding URL for the client's assertion consumer service (login responses). +- `assertion_consumer_redirect_url` - (Optional) SAML Redirect Binding URL for the client's assertion consumer service (login responses). +- `logout_service_post_binding_url` - (Optional) SAML POST Binding URL for the client's single logout service. +- `logout_service_redirect_binding_url` - (Optional) SAML Redirect Binding URL for the client's single logout service. +- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token + +## Import + +Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak +assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. + +Example: + +```bash +$ terraform import keycloak_saml_client.saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 +``` diff --git a/docs/resources/saml_client_default_scopes.md b/docs/resources/saml_client_default_scopes.md new file mode 100644 index 00000000..1cfa29c0 --- /dev/null +++ b/docs/resources/saml_client_default_scopes.md @@ -0,0 +1,64 @@ +--- +page_title: "keycloak_saml_client_default_scopes Resource" +--- + +# keycloak\_saml\_client\_default\_scopes Resource + +Allows for managing a Keycloak client's default client scopes. A default scope that is attached to a client using the SAML +protocol will automatically use the protocol mappers defined within that scope to build claims for this client. + +Note that this resource attempts to be an **authoritative** source over default scopes for a Keycloak client using the SAML +protocol. This means that once Terraform controls a particular client's default scopes, it will attempt to remove any default +scopes that were attached manually, and it will attempt to add any default scopes that were detached manually. + +By default, Keycloak sets the `role_list` scope as default scope for every newly created client. If you create this resource +for the first time and do not include this scope, a following run of `terraform plan` will result in changes. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_client" "saml_client" { + realm_id = keycloak_realm.realm.id + client_id = "saml-client" + name = "saml-client" + + sign_documents = false + sign_assertions = true + include_authn_statement = true + + signing_certificate = file("saml-cert.pem") + signing_private_key = file("saml-key.pem") +} + +resource "keycloak_saml_client_scope" "client_scope" { + realm_id = keycloak_realm.realm.id + name = "client-scope" +} + +resource "keycloak_saml_client_default_scopes" "client_default_scopes" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_saml_client.client.id + + default_scopes = [ + "role_list", + keycloak_saml_client_scope.client_scope.name + ] +} + +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client and scopes exists in. +- `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. +- `default_scopes` - (Required) An array of client scope names to attach to this client. + +## Import + +This resource does not support import. Instead of importing, feel free to create this resource as if it did not already exist +on the server. diff --git a/docs/resources/saml_client_scope.md b/docs/resources/saml_client_scope.md new file mode 100644 index 00000000..beb65510 --- /dev/null +++ b/docs/resources/saml_client_scope.md @@ -0,0 +1,44 @@ +--- +page_title: "keycloak_saml_client_scope Resource" +--- + +# keycloak\_saml\_client\_scope Resource + +Allows for creating and managing Keycloak client scopes that can be attached to clients that use the SAML protocol. + +Client Scopes can be used to share common protocol and role mappings between multiple clients within a realm. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_client_scope" "saml_client_scope" { + realm_id = keycloak_realm.realm.id + name = "groups" + description = "This scope will map a user's group memberships to SAML assertion" + gui_order = 1 +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this client scope belongs to. +- `name` - (Required) The display name of this client scope in the GUI. +- `description` - (Optional) The description of this client scope in the GUI. +- `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute. +- `gui_order` - (Optional) Specify order of the client scope in GUI (such as in Consent page) as integer. + +## Import + +Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak +assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. + +Example: + +```bash +$ terraform import keycloak_saml_client_scope.saml_client_scope my-realm/e8a5d115-6985-4de3-a0f5-732e1be4525e +``` diff --git a/docs/resources/saml_identity_provider.md b/docs/resources/saml_identity_provider.md new file mode 100644 index 00000000..80653e8e --- /dev/null +++ b/docs/resources/saml_identity_provider.md @@ -0,0 +1,73 @@ +--- +page_title: "keycloak_saml_identity_provider Resource" +--- + +# keycloak\_saml\_identity\_provider Resource + +Allows for creating and managing SAML Identity Providers within Keycloak. + +SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_identity_provider" "realm_saml_identity_provider" { + realm = keycloak_realm.realm.id + alias = "my-saml-idp" + + single_sign_on_service_url = "https://domain.com/adfs/ls/" + single_logout_service_url = "https://domain.com/adfs/ls/?wa=wsignout1.0" + + backchannel_supported = true + post_binding_response = true + post_binding_logout = true + post_binding_authn_request = true + store_token = false + trust_email = true + force_authn = true +} +``` + +## Argument Reference + +- `realm` - (Required) The name of the realm. This is unique across Keycloak. +- `alias` - (Optional) The unique name of identity provider. +- `enabled` - (Optional) When `false`, users and clients will not be able to access this realm. Defaults to `true`. +- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. +- `store_token` - (Optional) When `true`, tokens will be stored after authenticating users. Defaults to `true`. +- `add_read_token_role_on_create` - (Optional) When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`. +- `trust_email` - (Optional) When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`. +- `link_only` - (Optional) When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`. +- `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. +- `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. +- `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. +- `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. +- `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). +- `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. +- `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. +- `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. +- `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. +- `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. +- `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. +- `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. +- `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. +- `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. +- `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. +- `signing_certificate` - (Optional) Signing Certificate. +- `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. +- `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. + +## Import + +Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. + +Example: + +```bash +$ terraform import keycloak_saml_identity_provider.realm_saml_identity_provider my-realm/my-saml-idp +``` diff --git a/docs/resources/saml_user_attribute_protocol_mapper.md b/docs/resources/saml_user_attribute_protocol_mapper.md new file mode 100644 index 00000000..922467c2 --- /dev/null +++ b/docs/resources/saml_user_attribute_protocol_mapper.md @@ -0,0 +1,62 @@ +--- +page_title: "keycloak_saml_user_attribute_protocol_mapper Resource" +--- + +# keycloak\_saml\_user\_attribute\_protocol\_mapper Resource + +Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak. + +SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute +in a SAML assertion. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_client" "saml_client" { + realm_id = keycloak_realm.test.id + client_id = "saml-client" + name = "saml-client" +} + +resource "keycloak_saml_user_attribute_protocol_mapper" "saml_user_attribute_mapper" { + realm_id = keycloak_realm.test.id + client_id = keycloak_saml_client.saml_client.id + name = "displayname-user-attribute-mapper" + + user_attribute = "displayName" + saml_attribute_name = "displayName" + saml_attribute_name_format = "Unspecified" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `user_attribute` - (Required) The custom user attribute to map. +- `saml_attribute_name` - (Required) The name of the SAML attribute. +- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `friendly_name` - (Optional) An optional human-friendly name for this attribute. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/saml_user_property_protocol_mapper.md b/docs/resources/saml_user_property_protocol_mapper.md new file mode 100644 index 00000000..a7abdaf2 --- /dev/null +++ b/docs/resources/saml_user_property_protocol_mapper.md @@ -0,0 +1,62 @@ +--- +page_title: "keycloak_saml_user_property_protocol_mapper Resource" +--- + +# keycloak\_saml\_user\_property\_protocol\_mapper Resource + +Allows for creating and managing user property protocol mappers for SAML clients within Keycloak. + +SAML user property protocol mappers allow you to map properties of the Keycloak +user model to an attribute in a SAML assertion. + +Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between +multiple different clients. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_saml_client" "saml_client" { + realm_id = keycloak_realm.test.id + client_id = "saml-client" + name = "saml-client" +} + +resource "keycloak_saml_user_property_protocol_mapper" "saml_user_property_mapper" { + realm_id = keycloak_realm.test.id + client_id = keycloak_saml_client.saml_client.id + name = "email-user-property-mapper" + + user_property = "email" + saml_attribute_name = "email" + saml_attribute_name_format = "Unspecified" +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this protocol mapper exists within. +- `name` - (Required) The display name of this protocol mapper in the GUI. +- `user_property` - (Required) The property of the Keycloak user model to map. +- `saml_attribute_name` - (Required) The name of the SAML attribute. +- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. +- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. +- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. +- `friendly_name` - (Optional) An optional human-friendly name for this attribute. + +## Import + +Protocol mappers can be imported using one of the following formats: +- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` +- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` + +Example: + +```bash +$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +``` diff --git a/docs/resources/user.md b/docs/resources/user.md new file mode 100644 index 00000000..3afe6f14 --- /dev/null +++ b/docs/resources/user.md @@ -0,0 +1,78 @@ +--- +page_title: "keycloak_user Resource" +--- + +# keycloak\_user Resource + +Allows for creating and managing Users within Keycloak. + +This resource was created primarily to enable the acceptance tests for the `keycloak_group` resource. Creating users within +Keycloak is not recommended. Instead, users should be federated from external sources by configuring user federation providers +or identity providers. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_user" "user" { + realm_id = keycloak_realm.realm.id + username = "bob" + enabled = true + + email = "bob@domain.com" + first_name = "Bob" + last_name = "Bobson" +} + +resource "keycloak_user" "user_with_initial_password" { + realm_id = keycloak_realm.realm.id + username = "alice" + enabled = true + + email = "alice@domain.com" + first_name = "Alice" + last_name = "Aliceberg" + + attributes = { + foo = "bar" + } + + initial_password { + value = "some password" + temporary = true + } +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this user belongs to. +- `username` - (Required) The unique username of this user. +- `initial_password` - (Optional) When given, the user's initial password will be set. This attribute is only respected during initial user creation. + - `value` - (Required) The initial password. + - `temporary` - (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. +- `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. +- `email` - (Optional) The user's email. +- `email_verified` - (Optional) Whether the email address was validated or not. Default to `false`. +- `first_name` - (Optional) The user's first name. +- `last_name` - (Optional) The user's last name. +- `attributes` - (Optional) A map representing attributes for the user +- `federated_identity` - (Optional) When specified, the user will be linked to a federated identity provider. Refer to the [federated user example](https://github.com/mrparkers/terraform-provider-keycloak/blob/master/example/federated_user_example.tf) for more details. + - `identity_provider` - (Required) The name of the identity provider + - `user_id` - (Required) The ID of the user defined in the identity provider + - `user_name` - (Required) The user name of the user defined in the identity provider + +## Import + +Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak +assigns to the user upon creation. This value can be found in the GUI when editing the user. + +Example: + +```bash +$ terraform import keycloak_user.user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 +``` diff --git a/docs/resources/user_roles.md b/docs/resources/user_roles.md new file mode 100644 index 00000000..b397111f --- /dev/null +++ b/docs/resources/user_roles.md @@ -0,0 +1,83 @@ +--- +page_title: "keycloak_user_roles Resource" +--- + +# keycloak\_user\_roles Resource + +Allows you to manage roles assigned to a Keycloak user. + +Note that this resource attempts to be an **authoritative** source over user roles. When this resource takes control over +a user's roles, roles that are manually assigned to the user will be removed, and roles that are manually removed from the +user will be assigned upon the next run of `terraform apply`. + +Note that when assigning composite roles to a user, you may see a non-empty plan following a `terraform apply` if you assign +a role and a composite that includes that role to the same user. + +## Example Usage + +```hcl +resource "keycloak_realm" "realm" { + realm = "my-realm" + enabled = true +} + +resource "keycloak_role" "realm_role" { + realm_id = keycloak_realm.realm.id + name = "my-realm-role" + description = "My Realm Role" +} + +resource "keycloak_openid_client" "client" { + realm_id = keycloak_realm.realm.id + client_id = "client" + name = "client" + + enabled = true + + access_type = "BEARER-ONLY" +} + +resource "keycloak_role" "client_role" { + realm_id = keycloak_realm.realm.id + client_id = keycloak_client.client.id + name = "my-client-role" + description = "My Client Role" +} + +resource "keycloak_user" "user" { + realm_id = keycloak_realm.realm.id + username = "bob" + enabled = true + + email = "bob@domain.com" + first_name = "Bob" + last_name = "Bobson" +} + +resource "keycloak_user_roles" "user_roles" { + realm_id = keycloak_realm.realm.id + user_id = keycloak_user.user.id + + role_ids = [ + keycloak_role.realm_role.id, + keycloak_role.client_role.id, + ] +} +``` + +## Argument Reference + +- `realm_id` - (Required) The realm this user exists in. +- `user_id` - (Required) The ID of the user this resource should manage roles for. +- `role_ids` - (Required) A list of role IDs to map to the user + +## Import + +This resource can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak +assigns to the user upon creation. This value can be found in the GUI when editing the user, and is typically a GUID. + +Example: + +```bash +$ terraform import keycloak_user_roles.user_roles my-realm/b0ae6924-1bd5-4655-9e38-dae7c5e42924 +``` diff --git a/keycloak/openid_client_authorization_policy.go b/keycloak/openid_client_authorization_policy.go index 214fbbe0..9f442c0d 100644 --- a/keycloak/openid_client_authorization_policy.go +++ b/keycloak/openid_client_authorization_policy.go @@ -25,6 +25,9 @@ func (keycloakClient *KeycloakClient) GetClientAuthorizationPolicyByName(realmId if err != nil { return nil, err } + if len(policies) == 0 { + return nil, fmt.Errorf("unable to find client authorization policy with name %s", name) + } policy := policies[0] policy.RealmId = realmId policy.ResourceServerId = resourceServerId diff --git a/keycloak/role_scope_mapping.go b/keycloak/role_scope_mapping.go index 35506d41..10d07699 100644 --- a/keycloak/role_scope_mapping.go +++ b/keycloak/role_scope_mapping.go @@ -5,7 +5,6 @@ import ( ) func roleScopeMappingUrl(realmId, clientId string, clientScopeId string, role *Role) string { - if clientId != "" { if role.ClientRole { return fmt.Sprintf("/realms/%s/clients/%s/scope-mappings/clients/%s", realmId, clientId, role.ClientId) diff --git a/provider/data_source_keycloak_openid_client.go b/provider/data_source_keycloak_openid_client.go index 6111e43a..ae5fc967 100644 --- a/provider/data_source_keycloak_openid_client.go +++ b/provider/data_source_keycloak_openid_client.go @@ -51,6 +51,10 @@ func dataSourceKeycloakOpenidClient() *schema.Resource { Type: schema.TypeBool, Computed: true, }, + "service_accounts_enabled": { + Type: schema.TypeBool, + Computed: true, + }, "valid_redirect_uris": { Type: schema.TypeSet, Elem: &schema.Schema{Type: schema.TypeString}, @@ -63,18 +67,34 @@ func dataSourceKeycloakOpenidClient() *schema.Resource { Set: schema.HashString, Computed: true, }, + "root_url": { + Type: schema.TypeString, + Computed: true, + }, + "admin_url": { + Type: schema.TypeString, + Computed: true, + }, + "base_url": { + Type: schema.TypeString, + Computed: true, + }, "service_account_user_id": { Type: schema.TypeString, Computed: true, }, - "service_accounts_enabled": { - Type: schema.TypeBool, + "pkce_code_challenge_method": { + Type: schema.TypeString, Computed: true, }, - "root_url": { + "access_token_lifespan": { Type: schema.TypeString, Computed: true, }, + "exclude_session_state_from_auth_response": { + Type: schema.TypeBool, + Computed: true, + }, "resource_server_id": { Type: schema.TypeString, Computed: true, @@ -93,6 +113,10 @@ func dataSourceKeycloakOpenidClient() *schema.Resource { Type: schema.TypeBool, Computed: true, }, + "keep_defaults": { + Type: schema.TypeBool, + Computed: true, + }, }, }, }, diff --git a/provider/data_source_keycloak_openid_client_authorization_policy.go b/provider/data_source_keycloak_openid_client_authorization_policy.go index 4dc95684..12b14054 100644 --- a/provider/data_source_keycloak_openid_client_authorization_policy.go +++ b/provider/data_source_keycloak_openid_client_authorization_policy.go @@ -2,7 +2,6 @@ package provider import ( "github.com/hashicorp/terraform-plugin-sdk/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/helper/validation" "github.com/mrparkers/terraform-provider-keycloak/keycloak" ) @@ -32,9 +31,8 @@ func dataSourceKeycloakOpenidClientAuthorizationPolicy() *schema.Resource { Computed: true, }, "logic": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: validation.StringInSlice(keycloakPolicyLogicTypes, false), + Type: schema.TypeString, + Computed: true, }, "policies": { Type: schema.TypeSet, diff --git a/provider/resource_keycloak_openid_client.go b/provider/resource_keycloak_openid_client.go index 45cef8e9..5b9154bd 100644 --- a/provider/resource_keycloak_openid_client.go +++ b/provider/resource_keycloak_openid_client.go @@ -74,6 +74,11 @@ func resourceKeycloakOpenidClient() *schema.Resource { Optional: true, Default: false, }, + "service_accounts_enabled": { + Type: schema.TypeBool, + Optional: true, + Default: false, + }, "valid_redirect_uris": { Type: schema.TypeSet, Elem: &schema.Schema{Type: schema.TypeString}, @@ -86,22 +91,21 @@ func resourceKeycloakOpenidClient() *schema.Resource { Set: schema.HashString, Optional: true, }, - "admin_url": { + "root_url": { Type: schema.TypeString, Optional: true, }, - "base_url": { + "admin_url": { Type: schema.TypeString, Optional: true, }, - "root_url": { + "base_url": { Type: schema.TypeString, Optional: true, }, - "service_accounts_enabled": { - Type: schema.TypeBool, - Optional: true, - Default: false, + "service_account_user_id": { + Type: schema.TypeString, + Computed: true, }, "pkce_code_challenge_method": { Type: schema.TypeString, @@ -117,10 +121,6 @@ func resourceKeycloakOpenidClient() *schema.Resource { Optional: true, Default: false, }, - "service_account_user_id": { - Type: schema.TypeString, - Computed: true, - }, "resource_server_id": { Type: schema.TypeString, Computed: true, diff --git a/provider/resource_keycloak_realm.go b/provider/resource_keycloak_realm.go index bff25b92..77465617 100644 --- a/provider/resource_keycloak_realm.go +++ b/provider/resource_keycloak_realm.go @@ -44,7 +44,6 @@ func resourceKeycloakRealm() *schema.Resource { }, // Login Config - "registration_allowed": { Type: schema.TypeBool, Optional: true, @@ -92,8 +91,7 @@ func resourceKeycloakRealm() *schema.Resource { Default: "external", }, - //Smtp server - + // Smtp server "smtp_server": { Type: schema.TypeList, Optional: true, @@ -162,7 +160,6 @@ func resourceKeycloakRealm() *schema.Resource { }, // Themes - "login_theme": { Type: schema.TypeString, Optional: true, @@ -262,7 +259,7 @@ func resourceKeycloakRealm() *schema.Resource { DiffSuppressFunc: suppressDurationStringDiff, }, - //internationalization + // internationalization "internationalization": { Type: schema.TypeList, Optional: true, @@ -283,7 +280,7 @@ func resourceKeycloakRealm() *schema.Resource { }, }, - //Security Defenses + // Security Defenses "security_defenses": { Type: schema.TypeList, Optional: true, @@ -381,13 +378,15 @@ func resourceKeycloakRealm() *schema.Resource { }, }, }, + + // authentication password policy "password_policy": { Type: schema.TypeString, Description: "String that represents the passwordPolicies that are in place. Each policy is separated with \" and \". Supported policies can be found in the server-info providers page. example: \"upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername(undefined)\"", Optional: true, }, - //flow bindings + // authentication flow bindings "browser_flow": { Type: schema.TypeString, Description: "Which flow should be used for BrowserFlow", @@ -424,6 +423,8 @@ func resourceKeycloakRealm() *schema.Resource { Optional: true, Default: "docker auth", }, + + // misc attributes "attributes": { Type: schema.TypeMap, Optional: true,