From a123687191afd4ac221ea51aaf0c9dab0841607b Mon Sep 17 00:00:00 2001 From: Ian Wahbe Date: Tue, 2 Jan 2024 10:24:35 +0100 Subject: [PATCH] Modernize provider - Convert from forked to patched (#354) This is one of our last forked providers. This PR converts from forked to patched. The schema diff is caused by restoring some documentation and by fixing a typo (backwards compatible) in a resource mapping. --- .ci-mgmt.yaml | 1 - .gitmodules | 4 + patches/0001-fork.patch | 2854 +++++++++++++++++ .../bridge-metadata.json | 246 +- .../cmd/pulumi-resource-keycloak/schema.json | 231 +- provider/go.mod | 2 +- provider/resources.go | 282 +- sdk/dotnet/AttributeToRoleIdentityMapper.cs | 115 +- ...ardcodedAttributeIdentityProviderMapper.cs | 83 +- sdk/dotnet/HardcodedRoleIdentityMapper.cs | 75 +- sdk/dotnet/Ldap/HardcodedGroupMapper.cs | 85 +- .../OpenId/AudienceResolveProtocolMapper.cs | 236 ++ .../OpenId/AudienceResolveProtocolMappter.cs | 111 +- .../OpenId/ClientAuthorizationPermission.cs | 102 + sdk/dotnet/OpenId/ClientPermissions.cs | 131 + sdk/dotnet/UsersPermissions.cs | 30 + .../keycloak/attributeToRoleIdentityMapper.go | 175 +- ...ardcodedAttributeIdentityProviderMapper.go | 127 +- .../keycloak/hardcodedRoleIdentityMapper.go | 108 +- sdk/go/keycloak/ldap/hardcodedGroupMapper.go | 120 +- .../openid/audienceResolveProtocolMapper.go | 378 +++ .../openid/audienceResolveProtocolMappter.go | 158 +- .../openid/clientAuthorizationPermission.go | 109 + sdk/go/keycloak/openid/clientPermissions.go | 134 + sdk/go/keycloak/openid/init.go | 7 + sdk/go/keycloak/usersPermissions.go | 28 + .../AttributeToRoleIdentityMapper.java | 111 +- .../AttributeToRoleIdentityMapperArgs.java | 76 +- ...dcodedAttributeIdentityProviderMapper.java | 83 +- ...edAttributeIdentityProviderMapperArgs.java | 48 +- .../keycloak/HardcodedRoleIdentityMapper.java | 80 +- .../HardcodedRoleIdentityMapperArgs.java | 32 +- .../com/pulumi/keycloak/UsersPermissions.java | 140 + .../AttributeToRoleIdentityMapperState.java | 76 +- ...dAttributeIdentityProviderMapperState.java | 48 +- .../HardcodedRoleIdentityMapperState.java | 32 +- .../keycloak/ldap/HardcodedGroupMapper.java | 91 +- .../ldap/HardcodedGroupMapperArgs.java | 32 +- .../inputs/HardcodedGroupMapperState.java | 32 +- .../openid/AudienceResolveProtocolMapper.java | 241 ++ .../AudienceResolveProtocolMapperArgs.java | 195 ++ .../AudienceResolveProtocolMappter.java | 128 +- .../AudienceResolveProtocolMappterArgs.java | 32 +- .../openid/ClientAuthorizationPermission.java | 111 + .../keycloak/openid/ClientPermissions.java | 137 + .../AudienceResolveProtocolMapperState.java | 194 ++ .../AudienceResolveProtocolMappterState.java | 32 +- sdk/nodejs/attributeToRoleIdentityMapper.ts | 99 +- ...ardcodedAttributeIdentityProviderMapper.ts | 71 +- sdk/nodejs/hardcodedRoleIdentityMapper.ts | 61 +- sdk/nodejs/ldap/hardcodedGroupMapper.ts | 69 +- .../openid/audienceResolveProtocolMapper.ts | 187 ++ .../openid/audienceResolveProtocolMappter.ts | 86 +- .../openid/clientAuthorizationPermission.ts | 75 + sdk/nodejs/openid/clientPermissions.ts | 98 + sdk/nodejs/openid/index.ts | 8 + sdk/nodejs/tsconfig.json | 1 + sdk/nodejs/usersPermissions.ts | 30 + sdk/python/pulumi_keycloak/__init__.py | 8 + .../attribute_to_role_identity_mapper.py | 199 +- ...oded_attribute_identity_provider_mapper.py | 148 +- .../hardcoded_role_identity_mapper.py | 122 +- .../ldap/hardcoded_group_mapper.py | 140 +- sdk/python/pulumi_keycloak/openid/__init__.py | 1 + .../audience_resolve_protocol_mapper.py | 391 +++ .../audience_resolve_protocol_mappter.py | 170 +- .../openid/client_authorization_permission.py | 136 +- .../openid/client_permissions.py | 182 +- .../pulumi_keycloak/users_permissions.py | 60 +- upstream | 1 + 70 files changed, 8654 insertions(+), 1572 deletions(-) create mode 100644 .gitmodules create mode 100644 patches/0001-fork.patch create mode 100644 sdk/dotnet/OpenId/AudienceResolveProtocolMapper.cs create mode 100644 sdk/go/keycloak/openid/audienceResolveProtocolMapper.go create mode 100644 sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapper.java create mode 100644 sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapperArgs.java create mode 100644 sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMapperState.java create mode 100644 sdk/nodejs/openid/audienceResolveProtocolMapper.ts create mode 100644 sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mapper.py create mode 160000 upstream diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml index 5abae1b2..06cdd741 100644 --- a/.ci-mgmt.yaml +++ b/.ci-mgmt.yaml @@ -12,4 +12,3 @@ makeTemplate: bridged plugins: - name: aws version: "4.2.0" -team: ecosystem diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..6c859695 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "upstream"] + path = upstream + url = https://github.com/mrparkers/terraform-provider-keycloak.git + ignore = dirty diff --git a/patches/0001-fork.patch b/patches/0001-fork.patch new file mode 100644 index 00000000..c4b0afe2 --- /dev/null +++ b/patches/0001-fork.patch @@ -0,0 +1,2854 @@ +diff --git b/website/docs/d/keycloak_group.html.markdown a/website/docs/d/keycloak_group.html.markdown +new file mode 100644 +index 0000000..2cfaf67 +--- /dev/null ++++ a/website/docs/d/keycloak_group.html.markdown +@@ -0,0 +1,47 @@ ++# keycloak_group data source ++ ++This data source can be used to fetch properties of a Keycloak group for ++usage with other resources, such as `keycloak_group_roles`. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++data "keycloak_role" "offline_access" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "offline_access" ++} ++ ++data "keycloak_group" "group" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "group" ++} ++ ++resource "keycloak_group_roles" "group_roles" { ++ realm_id = "${keycloak_realm.realm.id}" ++ group_id = "${data.keycloak_group.group.id}" ++ ++ roles = [ ++ "${data.keycloak_role.offline_access.id}" ++ ] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this group exists within. ++- `name` - (Required) The name of the group ++ ++### Attributes Reference ++ ++In addition to the arguments listed above, the following computed attributes are exported: ++ ++- `id` - The unique ID of the group, which can be used as an argument to ++ other resources supported by this provider. ++ +diff --git b/website/docs/d/keycloak_openid_client.html.markdown a/website/docs/d/keycloak_openid_client.html.markdown +new file mode 100644 +index 0000000..bd38e9e +--- /dev/null ++++ a/website/docs/d/keycloak_openid_client.html.markdown +@@ -0,0 +1,30 @@ ++# keycloak_openid_client data source ++ ++This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. ++ ++### Example Usage ++ ++```hcl ++data "keycloak_openid_client" "realm_management" { ++ realm_id = "my-realm" ++ client_id = "realm-management" ++} ++ ++# use the data source ++data "keycloak_role" "admin" { ++ realm_id = "my-realm" ++ client_id = data.keycloak_openid_client.realm_management.id ++ name = "realm-admin" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm id. ++- `client_id` - (Required) The client id. ++ ++### Attributes Reference ++ ++See the docs for the [`keycloak_openid_client` resource](../resources/keycloak_openid_client.md) for details on the exported attributes. +diff --git b/website/docs/d/keycloak_realm.html.markdown a/website/docs/d/keycloak_realm.html.markdown +new file mode 100644 +index 0000000..f373cb6 +--- /dev/null ++++ a/website/docs/d/keycloak_realm.html.markdown +@@ -0,0 +1,30 @@ ++# keycloak_realm data source ++ ++This data source can be used to fetch properties of a Keycloak realm for ++usage with other resources. ++ ++### Example Usage ++ ++```hcl ++data "keycloak_realm" "realm" { ++ realm = "my-realm" ++} ++ ++# use the data source ++ ++resource "keycloak_role" "group" { ++ realm_id = "${data.keycloak_realm.id}" ++ name = "group" ++} ++ ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm` - (Required) The realm name. ++ ++### Attributes Reference ++ ++See the docs for the [`keycloak_realm` resource](../resources/keycloak_realm.md) for details on the exported attributes. +diff --git b/website/docs/d/keycloak_realm_keys.html.markdown a/website/docs/d/keycloak_realm_keys.html.markdown +new file mode 100644 +index 0000000..50e41b3 +--- /dev/null ++++ a/website/docs/d/keycloak_realm_keys.html.markdown +@@ -0,0 +1,38 @@ ++# keycloak_realm_keys data source ++ ++Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. ++ ++Remarks: ++ ++- A key must meet all filter criteria ++- This datasource may return more than one value. ++- If no key matches the filter criteria, then an error is returned. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++data "keycloak_realm_keys" "keys" { ++ realm_id = keycloak_realm.realm ++ algorithms = ["AES", "RS256"] ++ status = ["ACTIVE", "PASSIVE"] ++} ++ ++# show certificate of first key: ++output "certificate" { ++ value = data.keycloak_realm_keys.realm.keys[0].certificate ++} ++ ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm of which the keys are retrieved. ++- `algorithms` - (Optional) When specified, keys are filtered by algorithm (values for algorithm: `HS256`, `RS256`,`AES`, ...) ++- `status` - (Optional) When specified, keys are filtered by status (values for status: `ACTIVE`, `DISABLED` and `PASSIVE`) +diff --git b/website/docs/d/keycloak_role.html.markdown a/website/docs/d/keycloak_role.html.markdown +new file mode 100644 +index 0000000..7dfc4f9 +--- /dev/null ++++ a/website/docs/d/keycloak_role.html.markdown +@@ -0,0 +1,51 @@ ++# keycloak_role data source ++ ++This data source can be used to fetch properties of a Keycloak role for ++usage with other resources, such as `keycloak_group_roles`. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++data "keycloak_role" "offline_access" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "offline_access" ++} ++ ++# use the data source ++ ++resource "keycloak_group" "group" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "group" ++} ++ ++resource "keycloak_group_roles" "group_roles" { ++ realm_id = "${keycloak_realm.realm.id}" ++ group_id = "${keycloak_group.group.id}" ++ ++ roles = [ ++ "${data.keycloak_role.offline_access.id}" ++ ] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this role exists within. ++- `client_id` - (Optional) When specified, this role is assumed to be a ++ client role belonging to the client with the provided ID ++- `name` - (Required) The name of the role ++ ++### Attributes Reference ++ ++In addition to the arguments listed above, the following computed attributes are exported: ++ ++- `id` - The unique ID of the role, which can be used as an argument to ++ other resources supported by this provider. ++- `description` - The description of the role. +diff --git b/website/docs/r/keycloak_attribute_importer_identity_provider_mapper.html.markdown a/website/docs/r/keycloak_attribute_importer_identity_provider_mapper.html.markdown +new file mode 100644 +index 0000000..80ef892 +--- /dev/null ++++ a/website/docs/r/keycloak_attribute_importer_identity_provider_mapper.html.markdown +@@ -0,0 +1,38 @@ ++# keycloak_attribute_importer_identity_provider_mapper ++ ++Allows to create and manage identity provider mappers within Keycloak. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_attribute_importer_identity_provider_mapper" "test_mapper" { ++ realm = "my-realm" ++ name = "my-mapper" ++ identity_provider_alias = "idp_alias" ++ attribute_name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" ++ user_attribute = "lastName" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm` - (Required) The name of the realm. ++- `name` - (Required) The name of the mapper. ++- `identity_provider_alias` - (Required) The alias of the associated identity provider. ++- `user_attribute` - (Required) The user attribute name to store SAML attribute. ++- `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. ++- `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. ++- `claim_name` - (Optional) The claim name. ++ ++### Import ++ ++Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak ++assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_attribute_importer_identity_provider_mapper.test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b ++``` +diff --git b/website/docs/r/keycloak_custom_user_federation.html.markdown a/website/docs/r/keycloak_custom_user_federation.html.markdown +new file mode 100644 +index 0000000..523a2a3 +--- /dev/null ++++ a/website/docs/r/keycloak_custom_user_federation.html.markdown +@@ -0,0 +1,44 @@ ++# keycloak_custom_user_federation ++ ++Allows for creating and managing custom user federation providers within Keycloak. ++ ++A custom user federation provider is an implementation of Keycloak's ++[User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). ++An example of this implementation can be found [here](https://github.com/mrparkers/terraform-provider-keycloak/tree/master/custom-user-federation-example). ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++} ++ ++resource "keycloak_custom_user_federation" "custom_user_federation" { ++ name = "custom" ++ realm_id = "${keycloak_realm.realm.id}" ++ provider_id = "custom" ++ ++ enabled = true ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm that this provider will provide user federation for. ++- `name` - (Required) Display name of the provider when displayed in the console. ++- `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. ++- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. ++- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. ++- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. ++ ++### Import ++ ++Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. ++The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: ++ ++```bash ++$ terraform import keycloak_custom_user_federation.custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 ++``` +diff --git b/website/docs/r/keycloak_default_groups.html.markdown a/website/docs/r/keycloak_default_groups.html.markdown +new file mode 100644 +index 0000000..491e41b +--- /dev/null ++++ a/website/docs/r/keycloak_default_groups.html.markdown +@@ -0,0 +1,42 @@ ++# keycloak_default_groups ++ ++Allows for managing a realm's default groups. ++ ++Note that you should not use `keycloak_default_groups` with a group with memberships managed ++by `keycloak_group_memberships`. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_group" "group" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "my-group" ++} ++ ++resource "keycloak_default_groups" "default" { ++ realm_id = "${keycloak_realm.realm.id}" ++ group_ids = ["${keycloak_group.group.id}"] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this group exists in. ++- `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. ++ ++### Import ++ ++Groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_default_groups.default my-realm ++``` +\ No newline at end of file +diff --git b/website/docs/r/keycloak_generic_client_protocol_mapper.html.markdown a/website/docs/r/keycloak_generic_client_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..2746481 +--- /dev/null ++++ a/website/docs/r/keycloak_generic_client_protocol_mapper.html.markdown +@@ -0,0 +1,60 @@ ++# keycloak_generic_client_protocol_mapper ++ ++Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. ++ ++There are two uses cases for using this resource: ++* If you implemented a custom protocol mapper, this resource can be used to configure it ++* If the provider doesn't support a particular protocol mapper, this resource can be used instead. ++ ++Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. ++Therefore, if possible, a specific mapper should be used. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_saml_client" "saml_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++} ++ ++resource "keycloak_generic_client_protocol_mapper" "saml_hardcode_attribute_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_saml_client.saml_client.id}" ++ name = "tes-mapper" ++ protocol = "saml" ++ protocol_mapper = "saml-hardcode-attribute-mapper" ++ config = { ++ "attribute.name" = "name" ++ "attribute.nameformat" = "Basic" ++ "attribute.value" = "value" ++ "friendly.name" = "display name" ++ } ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required) The client this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. ++- `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be ++ compatible with the specified client. ++- `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. ++ ++### Import ++ ++Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_generic_client_protocol_mapper.saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_group.html.markdown a/website/docs/r/keycloak_group.html.markdown +new file mode 100644 +index 0000000..f6f03b3 +--- /dev/null ++++ a/website/docs/r/keycloak_group.html.markdown +@@ -0,0 +1,68 @@ ++# keycloak_group ++ ++Allows for creating and managing Groups within Keycloak. ++ ++Groups provide a logical wrapping for users within Keycloak. Users within a ++group can share attributes and roles, and group membership can be mapped ++to a claim. ++ ++Attributes can also be defined on Groups. ++ ++Groups can also be federated from external data sources, such as LDAP or Active Directory. ++This resource **should not** be used to manage groups that were created this way. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_group" "parent_group" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "parent-group" ++} ++ ++resource "keycloak_group" "child_group" { ++ realm_id = "${keycloak_realm.realm.id}" ++ parent_id = "${keycloak_group.parent_group.id}" ++ name = "child-group" ++} ++ ++resource "keycloak_group" "child_group_with_optional_attributes" { ++ realm_id = "${keycloak_realm.realm.id}" ++ parent_id = "${keycloak_group.parent_group.id}" ++ name = "child-group-with-optional-attributes" ++ attributes = { ++ "key1" = "value1" ++ "key2" = "value2" ++ } ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this group exists in. ++- `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. ++- `name` - (Required) The name of the group. ++- `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. ++ ++### Attributes Reference ++ ++In addition to the arguments listed above, the following computed attributes are exported: ++ ++- `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. ++ ++### Import ++ ++Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak ++assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_group.child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd ++``` +diff --git b/website/docs/r/keycloak_group_memberships.html.markdown a/website/docs/r/keycloak_group_memberships.html.markdown +new file mode 100644 +index 0000000..19c2c39 +--- /dev/null ++++ a/website/docs/r/keycloak_group_memberships.html.markdown +@@ -0,0 +1,56 @@ ++# keycloak_group_memberships ++ ++Allows for managing a Keycloak group's members. ++ ++Note that this resource attempts to be an **authoritative** source over group members. ++When this resource takes control over a group's members, users that are manually added ++to the group will be removed, and users that are manually removed from the group will ++be added upon the next run of `terraform apply`. Eventually, a non-authoritative resource ++for group membership will be added to this provider. ++ ++Also note that you should not use `keycloak_group_memberships` with a group has been assigned ++as a default group via `keycloak_default_groups`. ++ ++This resource **should not** be used to control membership of a group that has its members ++federated from an external source via group mapping. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_group" "group" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "my-group" ++} ++ ++resource "keycloak_user" "user" { ++ realm_id = "${keycloak_realm.realm.id}" ++ username = "my-user" ++} ++ ++resource "keycloak_group_memberships" "group_members" { ++ realm_id = "${keycloak_realm.realm.id}" ++ group_id = "${keycloak_group.group.id}" ++ ++ members = [ ++ "${keycloak_user.user.username}" ++ ] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this group exists in. ++- `group_id` - (Required) The ID of the group this resource should manage memberships for. ++- `members` - (Required) An array of usernames that belong to this group. ++ ++### Import ++ ++This resource does not support import. Instead of importing, feel free to create this resource ++as if it did not already exist on the server. +diff --git b/website/docs/r/keycloak_group_roles.html.markdown a/website/docs/r/keycloak_group_roles.html.markdown +new file mode 100644 +index 0000000..e0903cf +--- /dev/null ++++ a/website/docs/r/keycloak_group_roles.html.markdown +@@ -0,0 +1,83 @@ ++# keycloak_group_roles ++ ++Allows you to manage roles assigned to a Keycloak group. ++ ++Note that this resource attempts to be an **authoritative** source over ++group roles. When this resource takes control over a group's roles, ++roles that are manually added to the group will be removed, and roles ++that are manually removed from the group will be added upon the next run ++of `terraform apply`. ++ ++Note that when assigning composite roles to a group, you may see a ++non-empty plan following a `terraform apply` if you assign a role and a ++composite that includes that role to the same group. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_role" "realm_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "my-realm-role" ++ description = "My Realm Role" ++} ++ ++resource "keycloak_openid_client" "client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "client" ++ name = "client" ++ ++ enabled = true ++ ++ access_type = "BEARER-ONLY" ++} ++ ++resource "keycloak_role" "client_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_client.client.id}" ++ name = "my-client-role" ++ description = "My Client Role" ++} ++ ++resource "keycloak_group" "group" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "my-group" ++} ++ ++resource "keycloak_group_roles" "group_roles" { ++ realm_id = "${keycloak_realm.realm.id}" ++ group_id = "${keycloak_group.group.id}" ++ ++ role_ids = [ ++ "${keycloak_role.realm_role.id}", ++ "${keycloak_role.client_role.id}", ++ ] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this group exists in. ++- `group_id` - (Required) The ID of the group this resource should ++ manage roles for. ++- `role_ids` - (Required) A list of role IDs to map to the group ++ ++### Import ++ ++This resource can be imported using the format ++`{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that ++Keycloak assigns to the group upon creation. This value can be found in ++the URI when editing this group in the GUI, and is typically a GUID. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_group_roles.group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 ++``` ++ +diff --git b/website/docs/r/keycloak_ldap_full_name_mapper.html.markdown a/website/docs/r/keycloak_ldap_full_name_mapper.html.markdown +new file mode 100644 +index 0000000..f2655c2 +--- /dev/null ++++ a/website/docs/r/keycloak_ldap_full_name_mapper.html.markdown +@@ -0,0 +1,61 @@ ++# keycloak_ldap_full_name_mapper ++ ++Allows for creating and managing full name mappers for Keycloak users federated ++via LDAP. ++ ++The LDAP full name mapper can map a user's full name from an LDAP attribute ++to the first and last name attributes of a Keycloak user. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++} ++ ++resource "keycloak_ldap_user_federation" "ldap_user_federation" { ++ name = "openldap" ++ realm_id = "${keycloak_realm.realm.id}" ++ ++ username_ldap_attribute = "cn" ++ rdn_ldap_attribute = "cn" ++ uuid_ldap_attribute = "entryDN" ++ user_object_classes = [ ++ "simpleSecurityObject", ++ "organizationalRole" ++ ] ++ connection_url = "ldap://openldap" ++ users_dn = "dc=example,dc=org" ++ bind_dn = "cn=admin,dc=example,dc=org" ++ bind_credential = "admin" ++} ++ ++resource "keycloak_ldap_full_name_mapper" "ldap_full_name_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" ++ name = "full-name-mapper" ++ ldap_full_name_attribute = "cn" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm that this LDAP mapper will exist in. ++- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. ++- `name` - (Required) Display name of this mapper when displayed in the console. ++- `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. ++- `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. ++- `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. ++ ++### Import ++ ++LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. ++The ID of the LDAP user federation provider and the mapper can be found within ++the Keycloak GUI, and they are typically GUIDs: ++ ++```bash ++$ terraform import keycloak_ldap_full_name_mapper.ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 ++``` +diff --git b/website/docs/r/keycloak_ldap_group_mapper.html.markdown a/website/docs/r/keycloak_ldap_group_mapper.html.markdown +new file mode 100644 +index 0000000..0f21461 +--- /dev/null ++++ a/website/docs/r/keycloak_ldap_group_mapper.html.markdown +@@ -0,0 +1,82 @@ ++# keycloak_ldap_group_mapper ++ ++Allows for creating and managing group mappers for Keycloak users federated ++via LDAP. ++ ++The LDAP group mapper can be used to map an LDAP user's groups from some DN ++to Keycloak groups. This group mapper will also create the groups within Keycloak ++if they do not already exist. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++} ++ ++resource "keycloak_ldap_user_federation" "ldap_user_federation" { ++ name = "openldap" ++ realm_id = "${keycloak_realm.realm.id}" ++ ++ username_ldap_attribute = "cn" ++ rdn_ldap_attribute = "cn" ++ uuid_ldap_attribute = "entryDN" ++ user_object_classes = [ ++ "simpleSecurityObject", ++ "organizationalRole" ++ ] ++ connection_url = "ldap://openldap" ++ users_dn = "dc=example,dc=org" ++ bind_dn = "cn=admin,dc=example,dc=org" ++ bind_credential = "admin" ++} ++ ++resource "keycloak_ldap_group_mapper" "ldap_group_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" ++ name = "group-mapper" ++ ++ ldap_groups_dn = "dc=example,dc=org" ++ group_name_ldap_attribute = "cn" ++ group_object_classes = [ ++ "groupOfNames" ++ ] ++ membership_attribute_type = "DN" ++ membership_ldap_attribute = "member" ++ membership_user_ldap_attribute = "cn" ++ memberof_ldap_attribute = "memberOf" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm that this LDAP mapper will exist in. ++- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. ++- `name` - (Required) Display name of this mapper when displayed in the console. ++- `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. ++- `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. ++- `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one. ++- `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. ++- `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. ++- `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. ++- `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. ++- `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. ++- `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. ++- `mode` - (Optional) Can be one of `READ_ONLY` or `LDAP_ONLY`. Defaults to `READ_ONLY`. ++- `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. ++- `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. ++- `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. ++- `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. ++ ++### Import ++ ++LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. ++The ID of the LDAP user federation provider and the mapper can be found within ++the Keycloak GUI, and they are typically GUIDs: ++ ++```bash ++$ terraform import keycloak_ldap_group_mapper.ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 ++``` +diff --git b/website/docs/r/keycloak_ldap_hardcoded_role_mapper.html.markdown a/website/docs/r/keycloak_ldap_hardcoded_role_mapper.html.markdown +new file mode 100644 +index 0000000..2ec6556 +--- /dev/null ++++ a/website/docs/r/keycloak_ldap_hardcoded_role_mapper.html.markdown +@@ -0,0 +1,55 @@ ++# keycloak_ldap_hardcoded_role_mapper ++ ++This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++} ++ ++resource "keycloak_ldap_user_federation" "ldap_user_federation" { ++ name = "openldap" ++ realm_id = keycloak_realm.realm.id ++ ++ username_ldap_attribute = "cn" ++ rdn_ldap_attribute = "cn" ++ uuid_ldap_attribute = "entryDN" ++ user_object_classes = [ ++ "simpleSecurityObject", ++ "organizationalRole" ++ ] ++ connection_url = "ldap://openldap" ++ users_dn = "dc=example,dc=org" ++ bind_dn = "cn=admin,dc=example,dc=org" ++ bind_credential = "admin" ++} ++ ++resource "keycloak_ldap_hardcoded_role_mapper" "assign_admin_role_to_all_users" { ++ realm_id = keycloak_realm.realm.id ++ ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id ++ name = "assign-admin-role-to-all-users" ++ role = "admin" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm that this LDAP mapper will exist in. ++- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. ++- `name` - (Required) Display name of this mapper when displayed in the console. ++- `role` - (Required) The role which should be assigned to the users. ++ ++### Import ++ ++LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. ++The ID of the LDAP user federation provider and the mapper can be found within ++the Keycloak GUI, and they are typically GUIDs: ++ ++```bash ++$ terraform import keycloak_ldap_hardcoded_role_mapper.ldap_hardcoded_role_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 ++``` +diff --git b/website/docs/r/keycloak_ldap_msad_user_account_control_mapper.html.markdown a/website/docs/r/keycloak_ldap_msad_user_account_control_mapper.html.markdown +new file mode 100644 +index 0000000..d4dc9f7 +--- /dev/null ++++ a/website/docs/r/keycloak_ldap_msad_user_account_control_mapper.html.markdown +@@ -0,0 +1,61 @@ ++# keycloak_ldap_msad_user_account_control_mapper ++ ++Allows for creating and managing MSAD user account control mappers for Keycloak ++users federated via LDAP. ++ ++The MSAD (Microsoft Active Directory) user account control mapper is specific ++to LDAP user federation providers that are pulling from AD, and it can propagate ++AD user state to Keycloak in order to enforce settings like expired passwords ++or disabled accounts. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++} ++ ++resource "keycloak_ldap_user_federation" "ldap_user_federation" { ++ name = "ad" ++ realm_id = "${keycloak_realm.realm.id}" ++ ++ username_ldap_attribute = "cn" ++ rdn_ldap_attribute = "cn" ++ uuid_ldap_attribute = "objectGUID" ++ user_object_classes = [ ++ "person", ++ "organizationalPerson", ++ "user" ++ ] ++ connection_url = "ldap://my-ad-server" ++ users_dn = "dc=example,dc=org" ++ bind_dn = "cn=admin,dc=example,dc=org" ++ bind_credential = "admin" ++} ++ ++resource "keycloak_ldap_msad_user_account_control_mapper" "msad_user_account_control_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" ++ name = "msad-user-account-control-mapper" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm that this LDAP mapper will exist in. ++- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. ++- `name` - (Required) Display name of this mapper when displayed in the console. ++- `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. ++ ++### Import ++ ++LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. ++The ID of the LDAP user federation provider and the mapper can be found within ++the Keycloak GUI, and they are typically GUIDs: ++ ++```bash ++$ terraform import keycloak_ldap_msad_user_account_control_mapper.msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 ++``` +diff --git b/website/docs/r/keycloak_ldap_user_attribute_mapper.html.markdown a/website/docs/r/keycloak_ldap_user_attribute_mapper.html.markdown +new file mode 100644 +index 0000000..89e0c18 +--- /dev/null ++++ a/website/docs/r/keycloak_ldap_user_attribute_mapper.html.markdown +@@ -0,0 +1,65 @@ ++# keycloak_ldap_user_attribute_mapper ++ ++Allows for creating and managing user attribute mappers for Keycloak users ++federated via LDAP. ++ ++The LDAP user attribute mapper can be used to map a single LDAP attribute ++to an attribute on the Keycloak user model. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++} ++ ++resource "keycloak_ldap_user_federation" "ldap_user_federation" { ++ name = "openldap" ++ realm_id = "${keycloak_realm.realm.id}" ++ ++ username_ldap_attribute = "cn" ++ rdn_ldap_attribute = "cn" ++ uuid_ldap_attribute = "entryDN" ++ user_object_classes = [ ++ "simpleSecurityObject", ++ "organizationalRole" ++ ] ++ connection_url = "ldap://openldap" ++ users_dn = "dc=example,dc=org" ++ bind_dn = "cn=admin,dc=example,dc=org" ++ bind_credential = "admin" ++} ++ ++resource "keycloak_ldap_user_attribute_mapper" "ldap_user_attribute_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ ldap_user_federation_id = "${keycloak_ldap_user_federation.ldap_user_federation.id}" ++ name = "user-attribute-mapper" ++ ++ user_model_attribute = "foo" ++ ldap_attribute = "bar" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm that this LDAP mapper will exist in. ++- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. ++- `name` - (Required) Display name of this mapper when displayed in the console. ++- `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. ++- `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. ++- `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. ++- `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. ++- `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. ++ ++### Import ++ ++LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. ++The ID of the LDAP user federation provider and the mapper can be found within ++the Keycloak GUI, and they are typically GUIDs: ++ ++```bash ++$ terraform import keycloak_ldap_user_attribute_mapper.ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 ++``` +diff --git b/website/docs/r/keycloak_ldap_user_federation.html.markdown a/website/docs/r/keycloak_ldap_user_federation.html.markdown +new file mode 100644 +index 0000000..d399887 +--- /dev/null ++++ a/website/docs/r/keycloak_ldap_user_federation.html.markdown +@@ -0,0 +1,85 @@ ++# keycloak_ldap_user_federation ++ ++Allows for creating and managing LDAP user federation providers within Keycloak. ++ ++Keycloak can use an LDAP user federation provider to federate users to Keycloak ++from a directory system such as LDAP or Active Directory. Federated users ++will exist within the realm and will be able to log in to clients. Federated ++users can have their attributes defined using mappers. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++} ++ ++resource "keycloak_ldap_user_federation" "ldap_user_federation" { ++ name = "openldap" ++ realm_id = "${keycloak_realm.realm.id}" ++ ++ enabled = true ++ ++ username_ldap_attribute = "cn" ++ rdn_ldap_attribute = "cn" ++ uuid_ldap_attribute = "entryDN" ++ user_object_classes = [ ++ "simpleSecurityObject", ++ "organizationalRole" ++ ] ++ connection_url = "ldap://openldap" ++ users_dn = "dc=example,dc=org" ++ bind_dn = "cn=admin,dc=example,dc=org" ++ bind_credential = "admin" ++ ++ connection_timeout = "5s" ++ read_timeout = "10s" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm that this provider will provide user federation for. ++- `name` - (Required) Display name of the provider when displayed in the console. ++- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. ++- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. ++- `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. ++- `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. ++- `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. ++- `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OPTIONAL`. ++- `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. ++- `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. ++- `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. ++- `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. ++- `connection_url` - (Required) Connection URL to the LDAP server. ++- `users_dn` - (Required) Full DN of LDAP tree where your users are. ++- `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. ++- `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. ++- `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. ++- `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: ++ - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. ++ - `SUBTREE`: Search entire LDAP subtree. ++- `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. ++- `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: ++ - `ALWAYS` - Always use the truststore SPI for LDAP connections. ++ - `NEVER` - Never use the truststore SPI for LDAP connections. ++ - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. ++- `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ++- `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). ++- `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. ++- `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. ++- `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. ++- `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. ++- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. ++ ++### Import ++ ++LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. ++The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: ++ ++```bash ++$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 ++``` +diff --git b/website/docs/r/keycloak_openid_audience_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_audience_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..4d7b6b3 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_audience_protocol_mapper.html.markdown +@@ -0,0 +1,86 @@ ++# keycloak_openid_audience_protocol_mapper ++ ++Allows for creating and managing audience protocol mappers within ++Keycloak. This mapper was added in Keycloak v4.6.0.Final. ++ ++Audience protocol mappers allow you add audiences to the `aud` claim ++within issued tokens. The audience can be a custom string, or it can be ++mapped to the ID of a pre-existing client. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "audience-mapper" ++ ++ included_custom_audience = "foo" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "audience-mapper" ++ ++ included_custom_audience = "foo" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim. ++- `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim. ++- `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. ++- `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_openid_client.html.markdown a/website/docs/r/keycloak_openid_client.html.markdown +new file mode 100644 +index 0000000..ae8c9fb +--- /dev/null ++++ a/website/docs/r/keycloak_openid_client.html.markdown +@@ -0,0 +1,77 @@ ++# keycloak_openid_client ++ ++Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. ++ ++Clients are entities that can use Keycloak for user authentication. Typically, ++clients are applications that redirect users to Keycloak for authentication ++in order to take advantage of Keycloak's user sessions for SSO. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this client is attached to. ++- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. ++- `name` - (Optional) The display name of this client in the GUI. ++- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. ++- `description` - (Optional) The description of this client in the GUI. ++- `access_type` - (Required) Specifies the type of client, which can be one of the following: ++ - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. ++ This client should be used for applications using the Authorization Code or Client Credentials grant flows. ++ - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect ++ URIs for security. This client should be used for applications using the Implicit grant flow. ++ - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. ++- `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and ++should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. ++- `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. ++- `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. ++- `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. ++- `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. ++- `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple ++wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` ++is set to `true`. ++- `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. ++- `admin_url` - (Optional) URL to the admin interface of the client. ++- `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. ++- `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. ++- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token. ++ ++### Attributes Reference ++ ++In addition to the arguments listed above, the following computed attributes are exported: ++ ++- `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. ++ ++ ++### Import ++ ++Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak ++assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_client.openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 ++``` +diff --git b/website/docs/r/keycloak_openid_client_default_scopes.html.markdown a/website/docs/r/keycloak_openid_client_default_scopes.html.markdown +new file mode 100644 +index 0000000..56c05ea +--- /dev/null ++++ a/website/docs/r/keycloak_openid_client_default_scopes.html.markdown +@@ -0,0 +1,65 @@ ++# keycloak_openid_client_default_scopes ++ ++Allows for managing a Keycloak client's default client scopes. A default ++scope that is attached to a client using the OpenID Connect protocol will ++automatically use the protocol mappers defined within that scope to build ++claims for this client regardless of the provided OAuth2.0 `scope` parameter. ++ ++Note that this resource attempts to be an **authoritative** source over ++default scopes for a Keycloak client using the OpenID Connect protocol. ++This means that once Terraform controls a particular client's default scopes, ++it will attempt to remove any default scopes that were attached manually, ++and it will attempt to add any default scopes that were detached manually. ++ ++By default, Keycloak sets the `profile`, `email`, `roles`, and `web-origins` ++scopes as default scopes for every newly created client. If you create this ++resource for the first time and do not include these scopes, a following run ++of `terraform plan` will result in changes. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ access_type = "CONFIDENTIAL" ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_client_default_scopes" "client_default_scopes" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.client.id}" ++ ++ default_scopes = [ ++ "profile", ++ "email", ++ "roles", ++ "web-origins", ++ "${keycloak_openid_client_scope.client_scope.name}" ++ ] ++} ++ ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this client and scopes exists in. ++- `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. ++- `default_scopes` - (Required) An array of client scope names to attach to this client. ++ ++### Import ++ ++This resource does not support import. Instead of importing, feel free to create this resource ++as if it did not already exist on the server. +diff --git b/website/docs/r/keycloak_openid_client_optional_scopes.html.markdown a/website/docs/r/keycloak_openid_client_optional_scopes.html.markdown +new file mode 100644 +index 0000000..960a3a8 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_client_optional_scopes.html.markdown +@@ -0,0 +1,65 @@ ++# keycloak_openid_client_optional_scopes ++ ++Allows for managing a Keycloak client's optional client scopes. An optional ++scope that is attached to a client using the OpenID Connect protocol will ++allow a client to request it using the OAuth 2.0 `scope` parameter. When ++requested, the scope's protocol mappers defined within that scope will be ++used to build claims for this client. ++ ++Note that this resource attempts to be an **authoritative** source over ++optional scopes for a Keycloak client using the OpenID Connect protocol. ++This means that once Terraform controls a particular client's optional scopes, ++it will attempt to remove any optional scopes that were attached manually, ++and it will attempt to add any optional scopes that were detached manually. ++ ++By default, Keycloak sets the `address`, `phone` and `offline_access` scopes as ++optional scopes for every newly created client. If you create this resource for ++the first time and do not include these scopes, a following run of `terraform plan` ++will result in changes. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ access_type = "CONFIDENTIAL" ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_client_optional_scopes" "client_optional_scopes" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.client.id}" ++ ++ optional_scopes = [ ++ "address", ++ "phone", ++ "offline_access", ++ "${keycloak_openid_client_scope.client_scope.name}" ++ ] ++} ++ ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this client and scopes exists in. ++- `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. ++- `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. ++ ++### Import ++ ++This resource does not support import. Instead of importing, feel free to create this resource ++as if it did not already exist on the server. +diff --git b/website/docs/r/keycloak_openid_client_scope.html.markdown a/website/docs/r/keycloak_openid_client_scope.html.markdown +new file mode 100644 +index 0000000..81e6026 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_client_scope.html.markdown +@@ -0,0 +1,45 @@ ++# keycloak_openid_client_scope ++ ++Allows for creating and managing Keycloak client scopes that can be attached to ++clients that use the OpenID Connect protocol. ++ ++Client Scopes can be used to share common protocol and role mappings between multiple ++clients within a realm. They can also be used by clients to conditionally request ++claims or roles for a user based on the OAuth 2.0 `scope` parameter. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "openid_client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "groups" ++ description = "When requested, this scope will map a user's group memberships to a claim" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this client scope belongs to. ++- `name` - (Required) The display name of this client scope in the GUI. ++- `description` - (Optional) The description of this client scope in the GUI. ++- `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users ++authenticating to clients with this scope attached. The consent screen will display the string ++value of this attribute. ++ ++### Import ++ ++Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak ++assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_client_scope.openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 ++``` +diff --git b/website/docs/r/keycloak_openid_full_name_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_full_name_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..8b904e0 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_full_name_protocol_mapper.html.markdown +@@ -0,0 +1,82 @@ ++# keycloak_openid_full_name_protocol_mapper ++ ++Allows for creating and managing full name protocol mappers within ++Keycloak. ++ ++Full name protocol mappers allow you to map a user's first and last name ++to the OpenID Connect `name` claim in a token. Protocol mappers can be defined ++for a single client, or they can be defined for a client scope which can ++be shared between multiple different clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "full-name-mapper" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "full-name-mapper" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. ++- `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. ++- `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_openid_group_membership_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_group_membership_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..070b510 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_group_membership_protocol_mapper.html.markdown +@@ -0,0 +1,88 @@ ++# keycloak_openid_group_membership_protocol_mapper ++ ++Allows for creating and managing group membership protocol mappers within ++Keycloak. ++ ++Group membership protocol mappers allow you to map a user's group memberships ++to a claim in a token. Protocol mappers can be defined for a single client, ++or they can be defined for a client scope which can be shared between multiple ++different clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "group-membership-mapper" ++ ++ claim_name = "groups" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "group-membership-mapper" ++ ++ claim_name = "groups" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `claim_name` - (Required) The name of the claim to insert into a token. ++- `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. ++- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. ++- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. ++- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_openid_hardcoded_claim_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_hardcoded_claim_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..d2b8bc4 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_hardcoded_claim_protocol_mapper.html.markdown +@@ -0,0 +1,91 @@ ++# keycloak_openid_hardcoded_claim_protocol_mapper ++ ++Allows for creating and managing hardcoded claim protocol mappers within ++Keycloak. ++ ++Hardcoded claim protocol mappers allow you to define a claim with a hardcoded ++value. Protocol mappers can be defined for a single client, or they can ++be defined for a client scope which can be shared between multiple different ++clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "hardcoded-claim-mapper" ++ ++ claim_name = "foo" ++ claim_value = "bar" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "hardcoded-claim-mapper" ++ ++ claim_name = "foo" ++ claim_value = "bar" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `claim_name` - (Required) The name of the claim to insert into a token. ++- `claim_value` - (Required) The hardcoded value of the claim. ++- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. ++- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. ++- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. ++- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_openid_hardcoded_role_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_hardcoded_role_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..c13a07c +--- /dev/null ++++ a/website/docs/r/keycloak_openid_hardcoded_role_protocol_mapper.html.markdown +@@ -0,0 +1,93 @@ ++# keycloak_openid_hardcoded_role_protocol_mapper ++ ++Allows for creating and managing hardcoded role protocol mappers within ++Keycloak. ++ ++Hardcoded role protocol mappers allow you to specify a single role to ++always map to an access token for a client. Protocol mappers can be ++defined for a single client, or they can be defined for a client scope ++which can be shared between multiple different clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_role" "role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "my-role" ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "hardcoded-role-mapper" ++ role_id = "${keycloak_role.role.id}" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_role" "role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "my-role" ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "hardcoded-role-mapper" ++ role_id = "${keycloak_role.role.id}" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the ++ GUI. ++- `role_id` - (Required) The ID of the role to map to an access token. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_openid_user_attribute_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_user_attribute_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..bc302b6 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_user_attribute_protocol_mapper.html.markdown +@@ -0,0 +1,92 @@ ++# keycloak_openid_user_attribute_protocol_mapper ++ ++Allows for creating and managing user attribute protocol mappers within ++Keycloak. ++ ++User attribute protocol mappers allow you to map custom attributes defined ++for a user within Keycloak to a claim in a token. Protocol mappers can be ++defined for a single client, or they can be defined for a client scope which ++can be shared between multiple different clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "test-mapper" ++ ++ user_attribute = "foo" ++ claim_name = "bar" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "test-mapper" ++ ++ user_attribute = "foo" ++ claim_name = "bar" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `user_attribute` - (Required) The custom user attribute to map a claim for. ++- `claim_name` - (Required) The name of the claim to insert into a token. ++- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. ++- `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. ++- `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. ++- `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. ++- `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_openid_user_property_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_user_property_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..c010fb6 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_user_property_protocol_mapper.html.markdown +@@ -0,0 +1,91 @@ ++# keycloak_openid_user_property_protocol_mapper ++ ++Allows for creating and managing user property protocol mappers within ++Keycloak. ++ ++User property protocol mappers allow you to map built in properties defined ++on the Keycloak user interface to a claim in a token. Protocol mappers can be ++defined for a single client, or they can be defined for a client scope which ++can be shared between multiple different clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "test-mapper" ++ ++ user_property = "email" ++ claim_name = "email" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "test-mapper" ++ ++ user_property = "email" ++ claim_name = "email" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `user_property` - (Required) The built in user property (such as email) to map a claim for. ++- `claim_name` - (Required) The name of the claim to insert into a token. ++- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. ++- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. ++- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. ++- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_openid_user_realm_role_protocol_mapper.html.markdown a/website/docs/r/keycloak_openid_user_realm_role_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..e1df531 +--- /dev/null ++++ a/website/docs/r/keycloak_openid_user_realm_role_protocol_mapper.html.markdown +@@ -0,0 +1,90 @@ ++# keycloak_openid_user_realm_role_protocol_mapper ++ ++Allows for creating and managing user realm role protocol mappers within ++Keycloak. ++ ++User realm role protocol mappers allow you to define a claim containing the list of the realm roles. ++Protocol mappers can be defined for a single client, or they can ++be defined for a client scope which can be shared between multiple different ++clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "openid_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-client" ++ ++ name = "test client" ++ enabled = true ++ ++ access_type = "CONFIDENTIAL" ++ valid_redirect_uris = [ ++ "http://localhost:8080/openid-callback" ++ ] ++} ++ ++resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_openid_client.openid_client.id}" ++ name = "user-realm-role-mapper" ++ ++ claim_name = "foo" ++} ++``` ++ ++### Example Usage (Client Scope) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client_scope" "client_scope" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "test-client-scope" ++} ++ ++resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_scope_id = "${keycloak_openid_client_scope.client_scope.id}" ++ name = "user-realm-role-mapper" ++ ++ claim_name = "foo" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `claim_name` - (Required) The name of the claim to insert into a token. ++- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `long`, `int`, or `boolean`. Defaults to `String`. ++- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `true`. ++- `realm_role_prefix` - (Optional) A prefix for each Realm Role. ++- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. ++- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. ++- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_realm.html.markdown a/website/docs/r/keycloak_realm.html.markdown +new file mode 100644 +index 0000000..23e4d35 +--- /dev/null ++++ a/website/docs/r/keycloak_realm.html.markdown +@@ -0,0 +1,161 @@ ++# keycloak_realm ++ ++Allows for creating and managing Realms within Keycloak. ++ ++A realm manages a logical collection of users, credentials, roles, and groups. ++Users log in to realms and can be federated from multiple sources. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++ enabled = true ++ display_name = "test realm" ++ display_name_html = "test realm" ++ ++ login_theme = "base" ++ ++ access_code_lifespan = "1h" ++ ssl_required = "external" ++ password_policy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername" ++ attributes = { ++ mycustomAttribute = "myCustomValue" ++ } ++ ++ smtp_server { ++ host = "smtp.example.com" ++ from = "example@example.com" ++ ++ auth { ++ username = "tom" ++ password = "password" ++ } ++ } ++ ++ internationalization { ++ supported_locales = [ ++ "en", ++ "de", ++ "es" ++ ] ++ default_locale = "en" ++ } ++ ++ security_defenses { ++ headers { ++ x_frame_options = "DENY" ++ content_security_policy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" ++ content_security_policy_report_only = "" ++ x_content_type_options = "nosniff" ++ x_robots_tag = "none" ++ x_xss_protection = "1; mode=block" ++ strict_transport_security = "max-age=31536000; includeSubDomains" ++ } ++ brute_force_detection { ++ permanent_lockout = false ++ max_login_failures = 30 ++ wait_increment_seconds = 60 ++ quick_login_check_milli_seconds = 1000 ++ minimum_quick_login_wait_seconds = 60 ++ max_failure_wait_seconds = 900 ++ failure_reset_time_seconds = 43200 ++ } ++ } ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm` - (Required) The name of the realm. This is unique across Keycloak. ++- `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. ++- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. ++- `display_name_html` - (Optional) The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. ++ ++##### Login Settings ++ ++The following attributes are all booleans, and can be found in the "Login" tab within the realm settings. ++If any of these attributes are not specified, they will default to Keycloak's default settings. ++ ++- `registration_allowed` - (Optional) When true, user registration will be enabled, and a link for registration will be displayed on the login page. ++- `registration_email_as_username` - (Optional) When true, the user's email will be used as their username during registration. ++- `edit_username_allowed` - (Optional) When true, the username field is editable. ++- `reset_password_allowed` - (Optional) When true, a "forgot password" link will be displayed on the login page. ++- `remember_me` - (Optional) When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts. ++- `verify_email` - (Optional) When true, users are required to verify their email address after registration and after email address changes. ++- `login_with_email_allowed` - (Optional) When true, users may log in with their email address. ++- `duplicate_emails_allowed` - (Optional) When true, multiple users will be allowed to have the same email address. This attribute must be set to `false` if `login_with_email_allowed` is set to `true`. ++- `ssl_required` - (Optional) Can be one of following values: 'none, 'external' or 'all' ++ ++##### Themes ++ ++The following attributes can be used to configure themes for the realm. Custom themes can be specified here. ++If any of these attributes are not specified, they will default to Keycloak's default settings. Typically the `keycloak` theme is used by default. ++ ++- `login_theme` - (Optional) Used for the login, forgot password, and registration pages. ++- `account_theme` - (Optional) Used for account management pages. ++- `admin_theme` - (Optional) Used for the admin console. ++- `email_theme` - (Optional) Used for emails that are sent by Keycloak. ++ ++##### Tokens ++ ++The following attributes can be found in the "Tokens" tab within the realm settings. ++ ++- `revoke_refresh_token` - (Optional) If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused. ++- `refresh_token_max_reuse` - (Optional) Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused. ++ ++The attributes below should be specified as [Go duration strings](https://golang.org/pkg/time/#Duration.String). They will default to Keycloak's default settings. ++ ++- `sso_session_idle_timeout` - (Optional) The amount of time a session can be idle before it expires. ++- `sso_session_max_lifespan` - (Optional) The maximum amount of time before a session expires regardless of activity. ++- `offline_session_idle_timeout` - (Optional) The amount of time an offline session can be idle before it expires. ++- `offline_session_max_lifespan` - (Optional) The maximum amount of time before an offline session expires regardless of activity. ++- `access_token_lifespan` - (Optional) The amount of time an access token can be used before it expires. ++- `access_token_lifespan_for_implicit_flow` - (Optional) The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires. ++- `access_code_lifespan` - (Optional) The maximum amount of time a client has to finish the authorization code flow. ++- `access_code_lifespan_login` - (Optional) The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted. ++- `access_code_lifespan_user_action` - (Optional) The maximum amount of time a user has to complete login related actions, such as updating a password. ++- `action_token_generated_by_user_lifespan` - (Optional) The maximum time a user has to use a user-generated permit before it expires. ++- `action_token_generated_by_admin_lifespan` - (Optional) The maximum time a user has to use an admin-generated permit before it expires. ++ ++##### SMTP ++ ++The `smtp_server` block can be used to configure the realm's SMTP settings, which can be found in the "Email" tab in the GUI. ++This block supports the following attributes: ++ ++- `host` - (Required) The host of the SMTP server. ++- `port` - (Optional) The port of the SMTP server (defaults to 25). ++- `from` - (Required) The email address for the sender. ++- `from_display_name` - (Optional) The display name of the sender email address. ++- `reply_to` - (Optional) The "reply to" email address. ++- `reply_to_display_name` - (Optional) The display name of the "reply to" email address. ++- `envelope_from` - (Optional) The email address uses for bounces. ++- `starttls` - (Optional) When `true`, enables StartTLS. Defaults to `false`. ++- `ssl` - (Optional) When `true`, enables SSL. Defaults to `false`. ++- `auth` - (Optional) Enables authentication to the SMTP server. This block supports the following attributes: ++ - `username`- (Required) The SMTP server username. ++ - `password` - (Required) The SMTP server password. ++ ++##### Internationalization ++ ++Internationalization support can be configured by using the `internationalization` block, which supports the following attributes: ++ ++- `supported_locales` - (Required) A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. ++- `default_locale` - (Required) The locale to use by default. This locale code must be present within the `supported_locales` list. ++ ++##### Security Defenses Headers ++ ++Header configuration support for browser security settings and brute force detection ++ ++#### Atributes ++Map, can be used to add custom attributes to a realm. Or perhaps influence a certain attribute that is not supported in this terraform-provider ++ ++### Import ++ ++Realms can be imported using their name: ++ ++```bash ++$ terraform import keycloak_realm.realm test ++``` +diff --git b/website/docs/r/keycloak_realm_events.html.markdown a/website/docs/r/keycloak_realm_events.html.markdown +new file mode 100644 +index 0000000..025f34c +--- /dev/null ++++ a/website/docs/r/keycloak_realm_events.html.markdown +@@ -0,0 +1,43 @@ ++# keycloak_realm_events ++ ++Allows for managing Realm Events settings within Keycloak. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "test" ++} ++ ++resource "keycloak_realm_events" "realm_events" { ++ realm_id = "${keycloak_realm.realm.id}" ++ ++ events_enabled = true ++ events_expiration = 3600 ++ ++ admin_events_enabled = true ++ admin_events_details_enabled = true ++ ++ # When omitted or left empty, keycloak will enable all event types ++ enabled_event_types = [ ++ "LOGIN", ++ "LOGOUT", ++ ] ++ ++ events_listeners = [ ++ "jboss-logging", # keycloak enables the 'jboss-logging' event listener by default. ++ ] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The name of the realm the event settings apply to. ++- `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. ++- `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. ++- `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. ++- `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. ++- `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. ++- `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. +diff --git b/website/docs/r/keycloak_role.html.markdown a/website/docs/r/keycloak_role.html.markdown +new file mode 100644 +index 0000000..a9f7eaa +--- /dev/null ++++ a/website/docs/r/keycloak_role.html.markdown +@@ -0,0 +1,136 @@ ++# keycloak_role ++ ++Allows for creating and managing roles within Keycloak. ++ ++Roles allow you define privileges within Keycloak and map them to users ++and groups. ++ ++### Example Usage (Realm role) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_role" "realm_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "my-realm-role" ++ description = "My Realm Role" ++} ++``` ++ ++### Example Usage (Client role) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_openid_client" "client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "client" ++ name = "client" ++ ++ enabled = true ++ ++ access_type = "BEARER-ONLY" ++} ++ ++resource "keycloak_role" "client_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_client.client.id}" ++ name = "my-client-role" ++ description = "My Client Role" ++} ++``` ++ ++### Example Usage (Composite role) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++# realm roles ++ ++resource "keycloak_role" "create_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "create" ++} ++ ++resource "keycloak_role" "read_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "read" ++} ++ ++resource "keycloak_role" "update_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "update" ++} ++ ++resource "keycloak_role" "delete_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "delete" ++} ++ ++# client role ++ ++resource "keycloak_openid_client" "client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "client" ++ name = "client" ++ ++ enabled = true ++ ++ access_type = "BEARER-ONLY" ++} ++ ++resource "keycloak_role" "client_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "${keycloak_client.client.id}" ++ name = "my-client-role" ++ description = "My Client Role" ++} ++ ++resource "keycloak_role" "admin_role" { ++ realm_id = "${keycloak_realm.realm.id}" ++ name = "admin" ++ composite_roles = [ ++ "{keycloak_role.create_role.id}", ++ "{keycloak_role.read_role.id}", ++ "{keycloak_role.update_role.id}", ++ "{keycloak_role.delete_role.id}", ++ "{keycloak_role.client_role.id}", ++ ] ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this role exists within. ++- `client_id` - (Optional) When specified, this role will be created as ++ a client role attached to the client with the provided ID ++- `name` - (Required) The name of the role ++- `description` - (Optional) The description of the role ++- `composite_roles` - (Optional) When specified, this role will be a ++ composite role, composed of all roles that have an ID present within ++ this list. ++ ++ ++### Import ++ ++Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where ++`role_id` is the unique ID that Keycloak assigns to the role. The ID is ++not easy to find in the GUI, but it appears in the URL when editing the ++role. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_role.role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad ++``` +diff --git b/website/docs/r/keycloak_saml_client.html.markdown a/website/docs/r/keycloak_saml_client.html.markdown +new file mode 100644 +index 0000000..3eec0de +--- /dev/null ++++ a/website/docs/r/keycloak_saml_client.html.markdown +@@ -0,0 +1,70 @@ ++# keycloak_saml_client ++ ++Allows for creating and managing Keycloak clients that use the SAML protocol. ++ ++Clients are entities that can use Keycloak for user authentication. Typically, ++clients are applications that redirect users to Keycloak for authentication ++in order to take advantage of Keycloak's user sessions for SSO. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_saml_client" "saml_client" { ++ realm_id = "${keycloak_realm.realm.id}" ++ client_id = "test-saml-client" ++ name = "test-saml-client" ++ ++ sign_documents = false ++ sign_assertions = true ++ include_authn_statement = true ++ ++ signing_certificate = "${file("saml-cert.pem")}" ++ signing_private_key = "${file("saml-key.pem")}" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this client is attached to. ++- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. ++- `name` - (Optional) The display name of this client in the GUI. ++- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. ++- `description` - (Optional) The description of this client in the GUI. ++- `include_authn_statement` - (Optional) When `true`, an `AuthnStatement` will be included in the SAML response. ++- `sign_documents` - (Optional) When `true`, the SAML document will be signed by Keycloak using the realm's private key. ++- `sign_assertions` - (Optional) When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. ++- `client_signature_required` - (Optional) When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. ++- `force_post_binding` - (Optional) When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. ++- `front_channel_logout` - (Optional) When `true`, this client will require a browser redirect in order to perform a logout. ++- `name_id_format` - (Optional) Sets the Name ID format for the subject. ++- `root_url` - (Optional) When specified, this value is prepended to all relative URLs. ++- `valid_redirect_uris` - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. ++- `base_url` - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client. ++- `master_saml_processing_url` - (Optional) When specified, this URL will be used for all SAML requests. ++- `signing_certificate` - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature. ++- `signing_private_key` - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature. ++- `idp_initiated_sso_url_name` - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO. ++- `idp_initiated_sso_relay_state` - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO. ++- `assertion_consumer_post_url` - (Optional) SAML POST Binding URL for the client's assertion consumer service (login responses). ++- `assertion_consumer_redirect_url` - (Optional) SAML Redirect Binding URL for the client's assertion consumer service (login responses). ++- `logout_service_post_binding_url` - (Optional) SAML POST Binding URL for the client's single logout service. ++- `logout_service_redirect_binding_url` - (Optional) SAML Redirect Binding URL for the client's single logout service. ++- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token ++ ++### Import ++ ++Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak ++assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_saml_client.saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 ++``` +diff --git b/website/docs/r/keycloak_saml_identity_provider.html.markdown a/website/docs/r/keycloak_saml_identity_provider.html.markdown +new file mode 100644 +index 0000000..755a072 +--- /dev/null ++++ a/website/docs/r/keycloak_saml_identity_provider.html.markdown +@@ -0,0 +1,67 @@ ++# keycloak_saml_identity_provider ++ ++Allows to create and manage SAML Identity Providers within Keycloak. ++ ++SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_saml_identity_provider" "realm_identity_provider" { ++ realm = "my-realm" ++ alias = "my-idp" ++ single_sign_on_service_url = "https://domain.com/adfs/ls/" ++ single_logout_service_url = "https://domain.com/adfs/ls/?wa=wsignout1.0" ++ backchannel_supported = true ++ post_binding_response = true ++ post_binding_logout = true ++ post_binding_authn_request = true ++ store_token = false ++ trust_email = true ++ force_authn = true ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm` - (Required) The name of the realm. This is unique across Keycloak. ++- `alias` - (Optional) The uniq name of identity provider. ++- `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. ++- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. ++- `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. ++- `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. ++- `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. ++- `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. ++- `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. ++- `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. ++- `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. ++- `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. ++ ++#### SAML Configuration ++ ++- `single_sign_on_service_url` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). ++- `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. ++- `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. ++- `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. ++- `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. ++- `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. ++- `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. ++- `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. ++- `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. ++- `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. ++- `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. ++- `signing_certificate` - (Optional) Signing Certificate. ++- `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. ++- `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. ++ ++### Import ++ ++Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp ++``` +diff --git b/website/docs/r/keycloak_saml_user_attribute_protocol_mapper.html.markdown a/website/docs/r/keycloak_saml_user_attribute_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..a0feaf9 +--- /dev/null ++++ a/website/docs/r/keycloak_saml_user_attribute_protocol_mapper.html.markdown +@@ -0,0 +1,60 @@ ++# keycloak_saml_user_attribute_protocol_mapper ++ ++Allows for creating and managing user attribute protocol mappers for ++SAML clients within Keycloak. ++ ++SAML user attribute protocol mappers allow you to map custom attributes defined ++for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers ++can be defined for a single client, or they can be defined for a client scope which ++can be shared between multiple different clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_saml_client" "saml_client" { ++ realm_id = "${keycloak_realm.test.id}" ++ client_id = "test-saml-client" ++ name = "test-saml-client" ++} ++ ++resource "keycloak_saml_user_attribute_protocol_mapper" "saml_user_attribute_mapper" { ++ realm_id = "${keycloak_realm.test.id}" ++ client_id = "${keycloak_saml_client.saml_client.id}" ++ name = "displayname-user-attribute-mapper" ++ ++ user_attribute = "displayName" ++ saml_attribute_name = "displayName" ++ saml_attribute_name_format = "Unspecified" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `user_attribute` - (Required) The custom user attribute to map. ++- `friendly_name` - (Optional) An optional human-friendly name for this attribute. ++- `saml_attribute_name` - (Required) The name of the SAML attribute. ++- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_saml_user_property_protocol_mapper.html.markdown a/website/docs/r/keycloak_saml_user_property_protocol_mapper.html.markdown +new file mode 100644 +index 0000000..b74209b +--- /dev/null ++++ a/website/docs/r/keycloak_saml_user_property_protocol_mapper.html.markdown +@@ -0,0 +1,60 @@ ++# keycloak_saml_user_property_protocol_mapper ++ ++Allows for creating and managing user property protocol mappers for ++SAML clients within Keycloak. ++ ++SAML user property protocol mappers allow you to map properties of the Keycloak ++user model to an attribute in a SAML assertion. Protocol mappers ++can be defined for a single client, or they can be defined for a client scope which ++can be shared between multiple different clients. ++ ++### Example Usage (Client) ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_saml_client" "saml_client" { ++ realm_id = "${keycloak_realm.test.id}" ++ client_id = "test-saml-client" ++ name = "test-saml-client" ++} ++ ++resource "keycloak_saml_user_property_protocol_mapper" "saml_user_property_mapper" { ++ realm_id = "${keycloak_realm.test.id}" ++ client_id = "${keycloak_saml_client.saml_client.id}" ++ name = "email-user-property-mapper" ++ ++ user_property = "email" ++ saml_attribute_name = "email" ++ saml_attribute_name_format = "Unspecified" ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this protocol mapper exists within. ++- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. ++- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. ++- `name` - (Required) The display name of this protocol mapper in the GUI. ++- `user_property` - (Required) The property of the Keycloak user model to map. ++- `friendly_name` - (Optional) An optional human-friendly name for this attribute. ++- `saml_attribute_name` - (Required) The name of the SAML attribute. ++- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. ++ ++### Import ++ ++Protocol mappers can be imported using one of the following formats: ++- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` ++- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` ++ ++Example: ++ ++```bash ++$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ++``` +diff --git b/website/docs/r/keycloak_user.html.markdown a/website/docs/r/keycloak_user.html.markdown +new file mode 100644 +index 0000000..03de8b1 +--- /dev/null ++++ a/website/docs/r/keycloak_user.html.markdown +@@ -0,0 +1,67 @@ ++# keycloak_user ++ ++Allows for creating and managing Users within Keycloak. ++ ++This resource was created primarily to enable the acceptance tests for the `keycloak_group` resource. ++Creating users within Keycloak is not recommended. Instead, users should be federated from external sources ++by configuring user federation providers or identity providers. ++ ++### Example Usage ++ ++```hcl ++resource "keycloak_realm" "realm" { ++ realm = "my-realm" ++ enabled = true ++} ++ ++resource "keycloak_user" "user" { ++ realm_id = "${keycloak_realm.realm.id}" ++ username = "bob" ++ enabled = true ++ ++ email = "bob@domain.com" ++ first_name = "Bob" ++ last_name = "Bobson" ++} ++ ++resource "keycloak_user" "user_with_initial_password" { ++ realm_id = "${keycloak_realm.realm.id}" ++ username = "alice" ++ enabled = true ++ ++ email = "alice@domain.com" ++ first_name = "Alice" ++ last_name = "Aliceberg" ++ ++ initial_password { ++ value = "some password" ++ temporary = true ++ } ++} ++``` ++ ++### Argument Reference ++ ++The following arguments are supported: ++ ++- `realm_id` - (Required) The realm this user belongs to. ++- `username` - (Required) The unique username of this user. ++- `initial_password` (Optional) When given, the user's initial password will be set. ++ This attribute is only respected during initial user creation. ++ - `value` (Required) The initial password. ++ - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. ++- `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. ++- `email` - (Optional) The user's email. ++- `first_name` - (Optional) The user's first name. ++- `last_name` - (Optional) The user's last name. ++ ++### Import ++ ++Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak ++assigns to the user upon creation. This value can be found in the GUI when editing the user. ++ ++Example: ++ ++```bash ++$ terraform import keycloak_user.user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 ++``` diff --git a/provider/cmd/pulumi-resource-keycloak/bridge-metadata.json b/provider/cmd/pulumi-resource-keycloak/bridge-metadata.json index 9922a1ca..6b22a4cf 100644 --- a/provider/cmd/pulumi-resource-keycloak/bridge-metadata.json +++ b/provider/cmd/pulumi-resource-keycloak/bridge-metadata.json @@ -2,34 +2,44 @@ "auto-aliasing": { "resources": { "keycloak_attribute_importer_identity_provider_mapper": { - "current": "keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper" + "current": "keycloak:index/attributeImporterIdentityProviderMapper:AttributeImporterIdentityProviderMapper", + "majorVersion": 5 }, "keycloak_attribute_to_role_identity_provider_mapper": { - "current": "keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper" + "current": "keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper", + "majorVersion": 5 }, "keycloak_authentication_bindings": { - "current": "keycloak:authentication/bindings:Bindings" + "current": "keycloak:authentication/bindings:Bindings", + "majorVersion": 5 }, "keycloak_authentication_execution": { - "current": "keycloak:authentication/execution:Execution" + "current": "keycloak:authentication/execution:Execution", + "majorVersion": 5 }, "keycloak_authentication_execution_config": { - "current": "keycloak:authentication/executionConfig:ExecutionConfig" + "current": "keycloak:authentication/executionConfig:ExecutionConfig", + "majorVersion": 5 }, "keycloak_authentication_flow": { - "current": "keycloak:authentication/flow:Flow" + "current": "keycloak:authentication/flow:Flow", + "majorVersion": 5 }, "keycloak_authentication_subflow": { - "current": "keycloak:authentication/subflow:Subflow" + "current": "keycloak:authentication/subflow:Subflow", + "majorVersion": 5 }, "keycloak_custom_identity_provider_mapper": { - "current": "keycloak:index/customIdentityProviderMapping:CustomIdentityProviderMapping" + "current": "keycloak:index/customIdentityProviderMapping:CustomIdentityProviderMapping", + "majorVersion": 5 }, "keycloak_custom_user_federation": { - "current": "keycloak:index/customUserFederation:CustomUserFederation" + "current": "keycloak:index/customUserFederation:CustomUserFederation", + "majorVersion": 5 }, "keycloak_default_groups": { "current": "keycloak:index/defaultGroups:DefaultGroups", + "majorVersion": 5, "fields": { "group_ids": { "maxItemsOne": false @@ -38,6 +48,7 @@ }, "keycloak_default_roles": { "current": "keycloak:index/defaultRoles:DefaultRoles", + "majorVersion": 5, "fields": { "default_roles": { "maxItemsOne": false @@ -45,22 +56,28 @@ } }, "keycloak_generic_client_protocol_mapper": { - "current": "keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper" + "current": "keycloak:index/genericClientProtocolMapper:GenericClientProtocolMapper", + "majorVersion": 5 }, "keycloak_generic_client_role_mapper": { - "current": "keycloak:index/genericClientRoleMapper:GenericClientRoleMapper" + "current": "keycloak:index/genericClientRoleMapper:GenericClientRoleMapper", + "majorVersion": 5 }, "keycloak_generic_protocol_mapper": { - "current": "keycloak:index/genericProtocolMapper:GenericProtocolMapper" + "current": "keycloak:index/genericProtocolMapper:GenericProtocolMapper", + "majorVersion": 5 }, "keycloak_generic_role_mapper": { - "current": "keycloak:index/genericRoleMapper:GenericRoleMapper" + "current": "keycloak:index/genericRoleMapper:GenericRoleMapper", + "majorVersion": 5 }, "keycloak_group": { - "current": "keycloak:index/group:Group" + "current": "keycloak:index/group:Group", + "majorVersion": 5 }, "keycloak_group_memberships": { "current": "keycloak:index/groupMemberships:GroupMemberships", + "majorVersion": 5, "fields": { "members": { "maxItemsOne": false @@ -69,6 +86,7 @@ }, "keycloak_group_permissions": { "current": "keycloak:index/groupPermissions:GroupPermissions", + "majorVersion": 5, "fields": { "manage_members_scope": { "maxItemsOne": true, @@ -124,6 +142,7 @@ }, "keycloak_group_roles": { "current": "keycloak:index/groupRoles:GroupRoles", + "majorVersion": 5, "fields": { "role_ids": { "maxItemsOne": false @@ -131,13 +150,16 @@ } }, "keycloak_hardcoded_attribute_identity_provider_mapper": { - "current": "keycloak:index/hardcodedAttributeIdentityProviderMapper:HardcodedAttributeIdentityProviderMapper" + "current": "keycloak:index/hardcodedAttributeIdentityProviderMapper:HardcodedAttributeIdentityProviderMapper", + "majorVersion": 5 }, "keycloak_hardcoded_role_identity_provider_mapper": { - "current": "keycloak:index/hardcodedRoleIdentityMapper:HardcodedRoleIdentityMapper" + "current": "keycloak:index/hardcodedRoleIdentityMapper:HardcodedRoleIdentityMapper", + "majorVersion": 5 }, "keycloak_identity_provider_token_exchange_scope_permission": { "current": "keycloak:index/identityProviderTokenExchangeScopePermission:IdentityProviderTokenExchangeScopePermission", + "majorVersion": 5, "fields": { "clients": { "maxItemsOne": false @@ -145,10 +167,12 @@ } }, "keycloak_ldap_full_name_mapper": { - "current": "keycloak:ldap/fullNameMapper:FullNameMapper" + "current": "keycloak:ldap/fullNameMapper:FullNameMapper", + "majorVersion": 5 }, "keycloak_ldap_group_mapper": { "current": "keycloak:ldap/groupMapper:GroupMapper", + "majorVersion": 5, "fields": { "group_object_classes": { "maxItemsOne": false @@ -159,22 +183,28 @@ } }, "keycloak_ldap_hardcoded_attribute_mapper": { - "current": "keycloak:ldap/hardcodedAttributeMapper:HardcodedAttributeMapper" + "current": "keycloak:ldap/hardcodedAttributeMapper:HardcodedAttributeMapper", + "majorVersion": 5 }, "keycloak_ldap_hardcoded_group_mapper": { - "current": "keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper" + "current": "keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper", + "majorVersion": 5 }, "keycloak_ldap_hardcoded_role_mapper": { - "current": "keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper" + "current": "keycloak:ldap/hardcodedRoleMapper:HardcodedRoleMapper", + "majorVersion": 5 }, "keycloak_ldap_msad_lds_user_account_control_mapper": { - "current": "keycloak:ldap/msadLdsUserAccountControlMapper:MsadLdsUserAccountControlMapper" + "current": "keycloak:ldap/msadLdsUserAccountControlMapper:MsadLdsUserAccountControlMapper", + "majorVersion": 5 }, "keycloak_ldap_msad_user_account_control_mapper": { - "current": "keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper" + "current": "keycloak:ldap/msadUserAccountControlMapper:MsadUserAccountControlMapper", + "majorVersion": 5 }, "keycloak_ldap_role_mapper": { "current": "keycloak:ldap/roleMapper:RoleMapper", + "majorVersion": 5, "fields": { "role_object_classes": { "maxItemsOne": false @@ -182,10 +212,12 @@ } }, "keycloak_ldap_user_attribute_mapper": { - "current": "keycloak:ldap/userAttributeMapper:UserAttributeMapper" + "current": "keycloak:ldap/userAttributeMapper:UserAttributeMapper", + "majorVersion": 5 }, "keycloak_ldap_user_federation": { "current": "keycloak:ldap/userFederation:UserFederation", + "majorVersion": 5, "fields": { "cache": { "maxItemsOne": true @@ -199,19 +231,31 @@ } }, "keycloak_oidc_google_identity_provider": { - "current": "keycloak:oidc/googleIdentityProvider:GoogleIdentityProvider" + "current": "keycloak:oidc/googleIdentityProvider:GoogleIdentityProvider", + "majorVersion": 5 }, "keycloak_oidc_identity_provider": { - "current": "keycloak:oidc/identityProvider:IdentityProvider" + "current": "keycloak:oidc/identityProvider:IdentityProvider", + "majorVersion": 5 }, "keycloak_openid_audience_protocol_mapper": { - "current": "keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper" + "current": "keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_audience_resolve_protocol_mapper": { - "current": "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter" + "current": "keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper", + "past": [ + { + "name": "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter", + "inCodegen": true, + "majorVersion": 5 + } + ], + "majorVersion": 5 }, "keycloak_openid_client": { "current": "keycloak:openid/client:Client", + "majorVersion": 5, "fields": { "authentication_flow_binding_overrides": { "maxItemsOne": true @@ -232,6 +276,7 @@ }, "keycloak_openid_client_aggregate_policy": { "current": "keycloak:openid/clientAggregatePolicy:ClientAggregatePolicy", + "majorVersion": 5, "fields": { "policies": { "maxItemsOne": false @@ -240,6 +285,7 @@ }, "keycloak_openid_client_authorization_permission": { "current": "keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission", + "majorVersion": 5, "fields": { "policies": { "maxItemsOne": false @@ -254,6 +300,7 @@ }, "keycloak_openid_client_authorization_resource": { "current": "keycloak:openid/clientAuthorizationResource:ClientAuthorizationResource", + "majorVersion": 5, "fields": { "scopes": { "maxItemsOne": false @@ -264,10 +311,12 @@ } }, "keycloak_openid_client_authorization_scope": { - "current": "keycloak:openid/clientAuthorizationScope:ClientAuthorizationScope" + "current": "keycloak:openid/clientAuthorizationScope:ClientAuthorizationScope", + "majorVersion": 5 }, "keycloak_openid_client_client_policy": { "current": "keycloak:openid/clientPolicy:ClientPolicy", + "majorVersion": 5, "fields": { "clients": { "maxItemsOne": false @@ -276,6 +325,7 @@ }, "keycloak_openid_client_default_scopes": { "current": "keycloak:openid/clientDefaultScopes:ClientDefaultScopes", + "majorVersion": 5, "fields": { "default_scopes": { "maxItemsOne": false @@ -284,6 +334,7 @@ }, "keycloak_openid_client_group_policy": { "current": "keycloak:openid/clientGroupPolicy:ClientGroupPolicy", + "majorVersion": 5, "fields": { "groups": { "maxItemsOne": false @@ -291,10 +342,12 @@ } }, "keycloak_openid_client_js_policy": { - "current": "keycloak:openid/clientJsPolicy:ClientJsPolicy" + "current": "keycloak:openid/clientJsPolicy:ClientJsPolicy", + "majorVersion": 5 }, "keycloak_openid_client_optional_scopes": { "current": "keycloak:openid/clientOptionalScopes:ClientOptionalScopes", + "majorVersion": 5, "fields": { "optional_scopes": { "maxItemsOne": false @@ -303,6 +356,7 @@ }, "keycloak_openid_client_permissions": { "current": "keycloak:openid/clientPermissions:ClientPermissions", + "majorVersion": 5, "fields": { "configure_scope": { "maxItemsOne": true, @@ -378,6 +432,7 @@ }, "keycloak_openid_client_role_policy": { "current": "keycloak:openid/clientRolePolicy:ClientRolePolicy", + "majorVersion": 5, "fields": { "role": { "maxItemsOne": false @@ -385,19 +440,24 @@ } }, "keycloak_openid_client_scope": { - "current": "keycloak:openid/clientScope:ClientScope" + "current": "keycloak:openid/clientScope:ClientScope", + "majorVersion": 5 }, "keycloak_openid_client_service_account_realm_role": { - "current": "keycloak:openid/clientServiceAccountRealmRole:ClientServiceAccountRealmRole" + "current": "keycloak:openid/clientServiceAccountRealmRole:ClientServiceAccountRealmRole", + "majorVersion": 5 }, "keycloak_openid_client_service_account_role": { - "current": "keycloak:openid/clientServiceAccountRole:ClientServiceAccountRole" + "current": "keycloak:openid/clientServiceAccountRole:ClientServiceAccountRole", + "majorVersion": 5 }, "keycloak_openid_client_time_policy": { - "current": "keycloak:openid/clientTimePolicy:ClientTimePolicy" + "current": "keycloak:openid/clientTimePolicy:ClientTimePolicy", + "majorVersion": 5 }, "keycloak_openid_client_user_policy": { "current": "keycloak:openid/clientUserPolicy:ClientUserPolicy", + "majorVersion": 5, "fields": { "users": { "maxItemsOne": false @@ -405,37 +465,48 @@ } }, "keycloak_openid_full_name_protocol_mapper": { - "current": "keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper" + "current": "keycloak:openid/fullNameProtocolMapper:FullNameProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_group_membership_protocol_mapper": { - "current": "keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper" + "current": "keycloak:openid/groupMembershipProtocolMapper:GroupMembershipProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_hardcoded_claim_protocol_mapper": { - "current": "keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper" + "current": "keycloak:openid/hardcodedClaimProtocolMapper:HardcodedClaimProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_hardcoded_role_protocol_mapper": { - "current": "keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper" + "current": "keycloak:openid/hardcodedRoleProtocolMapper:HardcodedRoleProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_script_protocol_mapper": { - "current": "keycloak:openid/scriptProtocolMapper:ScriptProtocolMapper" + "current": "keycloak:openid/scriptProtocolMapper:ScriptProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_user_attribute_protocol_mapper": { - "current": "keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper" + "current": "keycloak:openid/userAttributeProtocolMapper:UserAttributeProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_user_client_role_protocol_mapper": { - "current": "keycloak:openid/userClientRoleProtocolMapper:UserClientRoleProtocolMapper" + "current": "keycloak:openid/userClientRoleProtocolMapper:UserClientRoleProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_user_property_protocol_mapper": { - "current": "keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper" + "current": "keycloak:openid/userPropertyProtocolMapper:UserPropertyProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_user_realm_role_protocol_mapper": { - "current": "keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper" + "current": "keycloak:openid/userRealmRoleProtocolMapper:UserRealmRoleProtocolMapper", + "majorVersion": 5 }, "keycloak_openid_user_session_note_protocol_mapper": { - "current": "keycloak:openid/userSessionNoteProtocolMapper:UserSessionNoteProtocolMapper" + "current": "keycloak:openid/userSessionNoteProtocolMapper:UserSessionNoteProtocolMapper", + "majorVersion": 5 }, "keycloak_realm": { "current": "keycloak:index/realm:Realm", + "majorVersion": 5, "fields": { "default_default_client_scopes": { "maxItemsOne": false @@ -509,6 +580,7 @@ }, "keycloak_realm_events": { "current": "keycloak:index/realmEvents:RealmEvents", + "majorVersion": 5, "fields": { "enabled_event_types": { "maxItemsOne": false @@ -519,25 +591,32 @@ } }, "keycloak_realm_keystore_aes_generated": { - "current": "keycloak:index/realmKeystoreAesGenerated:RealmKeystoreAesGenerated" + "current": "keycloak:index/realmKeystoreAesGenerated:RealmKeystoreAesGenerated", + "majorVersion": 5 }, "keycloak_realm_keystore_ecdsa_generated": { - "current": "keycloak:index/realmKeystoreEcdsaGenerated:RealmKeystoreEcdsaGenerated" + "current": "keycloak:index/realmKeystoreEcdsaGenerated:RealmKeystoreEcdsaGenerated", + "majorVersion": 5 }, "keycloak_realm_keystore_hmac_generated": { - "current": "keycloak:index/realmKeystoreHmacGenerated:RealmKeystoreHmacGenerated" + "current": "keycloak:index/realmKeystoreHmacGenerated:RealmKeystoreHmacGenerated", + "majorVersion": 5 }, "keycloak_realm_keystore_java_keystore": { - "current": "keycloak:index/realmKeystoreJavaGenerated:RealmKeystoreJavaGenerated" + "current": "keycloak:index/realmKeystoreJavaGenerated:RealmKeystoreJavaGenerated", + "majorVersion": 5 }, "keycloak_realm_keystore_rsa": { - "current": "keycloak:index/realmKeystoreRsa:RealmKeystoreRsa" + "current": "keycloak:index/realmKeystoreRsa:RealmKeystoreRsa", + "majorVersion": 5 }, "keycloak_realm_keystore_rsa_generated": { - "current": "keycloak:index/realmKeystoreRsaGenerated:RealmKeystoreRsaGenerated" + "current": "keycloak:index/realmKeystoreRsaGenerated:RealmKeystoreRsaGenerated", + "majorVersion": 5 }, "keycloak_realm_user_profile": { "current": "keycloak:index/realmUserProfile:RealmUserProfile", + "majorVersion": 5, "fields": { "attribute": { "maxItemsOne": false, @@ -577,10 +656,12 @@ } }, "keycloak_required_action": { - "current": "keycloak:index/requiredAction:RequiredAction" + "current": "keycloak:index/requiredAction:RequiredAction", + "majorVersion": 5 }, "keycloak_role": { "current": "keycloak:index/role:Role", + "majorVersion": 5, "fields": { "composite_roles": { "maxItemsOne": false @@ -589,6 +670,7 @@ }, "keycloak_saml_client": { "current": "keycloak:saml/client:Client", + "majorVersion": 5, "fields": { "authentication_flow_binding_overrides": { "maxItemsOne": true @@ -600,6 +682,7 @@ }, "keycloak_saml_client_default_scopes": { "current": "keycloak:saml/clientDefaultScope:ClientDefaultScope", + "majorVersion": 5, "fields": { "default_scopes": { "maxItemsOne": false @@ -607,10 +690,12 @@ } }, "keycloak_saml_client_scope": { - "current": "keycloak:saml/clientScope:ClientScope" + "current": "keycloak:saml/clientScope:ClientScope", + "majorVersion": 5 }, "keycloak_saml_identity_provider": { "current": "keycloak:saml/identityProvider:IdentityProvider", + "majorVersion": 5, "fields": { "authn_context_class_refs": { "maxItemsOne": false @@ -621,16 +706,20 @@ } }, "keycloak_saml_script_protocol_mapper": { - "current": "keycloak:saml/scriptProtocolMapper:ScriptProtocolMapper" + "current": "keycloak:saml/scriptProtocolMapper:ScriptProtocolMapper", + "majorVersion": 5 }, "keycloak_saml_user_attribute_protocol_mapper": { - "current": "keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper" + "current": "keycloak:saml/userAttributeProtocolMapper:UserAttributeProtocolMapper", + "majorVersion": 5 }, "keycloak_saml_user_property_protocol_mapper": { - "current": "keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper" + "current": "keycloak:saml/userPropertyProtocolMapper:UserPropertyProtocolMapper", + "majorVersion": 5 }, "keycloak_user": { "current": "keycloak:index/user:User", + "majorVersion": 5, "fields": { "federated_identity": { "maxItemsOne": false @@ -642,6 +731,7 @@ }, "keycloak_user_groups": { "current": "keycloak:index/userGroups:UserGroups", + "majorVersion": 5, "fields": { "group_ids": { "maxItemsOne": false @@ -650,6 +740,7 @@ }, "keycloak_user_roles": { "current": "keycloak:index/userRoles:UserRoles", + "majorVersion": 5, "fields": { "role_ids": { "maxItemsOne": false @@ -657,10 +748,12 @@ } }, "keycloak_user_template_importer_identity_provider_mapper": { - "current": "keycloak:index/userTemplateImporterIdentityProviderMapper:UserTemplateImporterIdentityProviderMapper" + "current": "keycloak:index/userTemplateImporterIdentityProviderMapper:UserTemplateImporterIdentityProviderMapper", + "majorVersion": 5 }, "keycloak_users_permissions": { "current": "keycloak:index/usersPermissions:UsersPermissions", + "majorVersion": 5, "fields": { "impersonate_scope": { "maxItemsOne": true, @@ -727,13 +820,16 @@ }, "datasources": { "keycloak_authentication_execution": { - "current": "keycloak:index/getAuthenticationExecution:getAuthenticationExecution" + "current": "keycloak:index/getAuthenticationExecution:getAuthenticationExecution", + "majorVersion": 5 }, "keycloak_authentication_flow": { - "current": "keycloak:index/getAuthenticationFlow:getAuthenticationFlow" + "current": "keycloak:index/getAuthenticationFlow:getAuthenticationFlow", + "majorVersion": 5 }, "keycloak_client_description_converter": { "current": "keycloak:index/getClientDescriptionConverter:getClientDescriptionConverter", + "majorVersion": 5, "fields": { "default_client_scopes": { "maxItemsOne": false @@ -756,10 +852,12 @@ } }, "keycloak_group": { - "current": "keycloak:index/getGroup:getGroup" + "current": "keycloak:index/getGroup:getGroup", + "majorVersion": 5 }, "keycloak_openid_client": { "current": "keycloak:openid/getClient:getClient", + "majorVersion": 5, "fields": { "authentication_flow_binding_overrides": { "maxItemsOne": false @@ -780,6 +878,7 @@ }, "keycloak_openid_client_authorization_policy": { "current": "keycloak:openid/getClientAuthorizationPolicy:getClientAuthorizationPolicy", + "majorVersion": 5, "fields": { "policies": { "maxItemsOne": false @@ -793,10 +892,12 @@ } }, "keycloak_openid_client_scope": { - "current": "keycloak:openid/getClientScope:getClientScope" + "current": "keycloak:openid/getClientScope:getClientScope", + "majorVersion": 5 }, "keycloak_openid_client_service_account_user": { "current": "keycloak:openid/getClientServiceAccountUser:getClientServiceAccountUser", + "majorVersion": 5, "fields": { "federated_identity": { "maxItemsOne": false @@ -805,6 +906,7 @@ }, "keycloak_realm": { "current": "keycloak:index/getRealm:getRealm", + "majorVersion": 5, "fields": { "default_default_client_scopes": { "maxItemsOne": false @@ -878,6 +980,7 @@ }, "keycloak_realm_keys": { "current": "keycloak:index/getRealmKeys:getRealmKeys", + "majorVersion": 5, "fields": { "algorithms": { "maxItemsOne": false @@ -892,6 +995,7 @@ }, "keycloak_role": { "current": "keycloak:index/getRole:getRole", + "majorVersion": 5, "fields": { "composite_roles": { "maxItemsOne": false @@ -900,6 +1004,7 @@ }, "keycloak_saml_client": { "current": "keycloak:saml/getClient:getClient", + "majorVersion": 5, "fields": { "authentication_flow_binding_overrides": { "maxItemsOne": false @@ -910,10 +1015,12 @@ } }, "keycloak_saml_client_installation_provider": { - "current": "keycloak:saml/getClientInstallationProvider:getClientInstallationProvider" + "current": "keycloak:saml/getClientInstallationProvider:getClientInstallationProvider", + "majorVersion": 5 }, "keycloak_user": { "current": "keycloak:index/getUser:getUser", + "majorVersion": 5, "fields": { "federated_identity": { "maxItemsOne": false @@ -922,6 +1029,7 @@ }, "keycloak_user_realm_roles": { "current": "keycloak:index/getUserRealmRoles:getUserRealmRoles", + "majorVersion": 5, "fields": { "role_names": { "maxItemsOne": false @@ -930,7 +1038,15 @@ } } }, - "auto-settings": {}, + "auto-settings": { + "resources": { + "keycloak_openid_audience_resolve_protocol_mapper": { + "aliases": [ + "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter" + ] + } + } + }, "renames": { "resources": { "keycloak:authentication/bindings:Bindings": "keycloak_authentication_bindings", @@ -984,7 +1100,8 @@ "keycloak:oidc/googleIdentityProvider:GoogleIdentityProvider": "keycloak_oidc_google_identity_provider", "keycloak:oidc/identityProvider:IdentityProvider": "keycloak_oidc_identity_provider", "keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper": "keycloak_openid_audience_protocol_mapper", - "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter": "keycloak_openid_audience_resolve_protocol_mapper", + "keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper": "keycloak_openid_audience_resolve_protocol_mapper", + "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter": "keycloak_openid_audience_resolve_protocol_mapper_legacy", "keycloak:openid/client:Client": "keycloak_openid_client", "keycloak:openid/clientAggregatePolicy:ClientAggregatePolicy": "keycloak_openid_client_aggregate_policy", "keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission": "keycloak_openid_client_authorization_permission", @@ -1823,6 +1940,11 @@ "includedCustomAudience": "included_custom_audience", "realmId": "realm_id" }, + "keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper": { + "clientId": "client_id", + "clientScopeId": "client_scope_id", + "realmId": "realm_id" + }, "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter": { "clientId": "client_id", "clientScopeId": "client_scope_id", diff --git a/provider/cmd/pulumi-resource-keycloak/schema.json b/provider/cmd/pulumi-resource-keycloak/schema.json index 99e7bb87..06f5bacf 100644 --- a/provider/cmd/pulumi-resource-keycloak/schema.json +++ b/provider/cmd/pulumi-resource-keycloak/schema.json @@ -2287,18 +2287,19 @@ } }, "keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper": { + "description": "Allows for creating and managing an attribute to role identity provider mapper within Keycloak.\n\n\u003e If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst oidcIdentityProvider = new keycloak.oidc.IdentityProvider(\"oidcIdentityProvider\", {\n realm: realm.id,\n alias: \"oidc\",\n authorizationUrl: \"https://example.com/auth\",\n tokenUrl: \"https://example.com/token\",\n clientId: \"example_id\",\n clientSecret: \"example_token\",\n defaultScopes: \"openid random profile\",\n});\nconst realmRole = new keycloak.Role(\"realmRole\", {\n realmId: realm.id,\n description: \"My Realm Role\",\n});\nconst oidcAttributeToRoleIdentityMapper = new keycloak.AttributeToRoleIdentityMapper(\"oidcAttributeToRoleIdentityMapper\", {\n realm: realm.id,\n identityProviderAlias: oidcIdentityProvider.alias,\n role: \"my-realm-role\",\n claimName: \"my-claim\",\n claimValue: \"my-value\",\n extraConfig: {\n syncMode: \"INHERIT\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\noidc_identity_provider = keycloak.oidc.IdentityProvider(\"oidcIdentityProvider\",\n realm=realm.id,\n alias=\"oidc\",\n authorization_url=\"https://example.com/auth\",\n token_url=\"https://example.com/token\",\n client_id=\"example_id\",\n client_secret=\"example_token\",\n default_scopes=\"openid random profile\")\nrealm_role = keycloak.Role(\"realmRole\",\n realm_id=realm.id,\n description=\"My Realm Role\")\noidc_attribute_to_role_identity_mapper = keycloak.AttributeToRoleIdentityMapper(\"oidcAttributeToRoleIdentityMapper\",\n realm=realm.id,\n identity_provider_alias=oidc_identity_provider.alias,\n role=\"my-realm-role\",\n claim_name=\"my-claim\",\n claim_value=\"my-value\",\n extra_config={\n \"syncMode\": \"INHERIT\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var oidcIdentityProvider = new Keycloak.Oidc.IdentityProvider(\"oidcIdentityProvider\", new()\n {\n Realm = realm.Id,\n Alias = \"oidc\",\n AuthorizationUrl = \"https://example.com/auth\",\n TokenUrl = \"https://example.com/token\",\n ClientId = \"example_id\",\n ClientSecret = \"example_token\",\n DefaultScopes = \"openid random profile\",\n });\n\n var realmRole = new Keycloak.Role(\"realmRole\", new()\n {\n RealmId = realm.Id,\n Description = \"My Realm Role\",\n });\n\n var oidcAttributeToRoleIdentityMapper = new Keycloak.AttributeToRoleIdentityMapper(\"oidcAttributeToRoleIdentityMapper\", new()\n {\n Realm = realm.Id,\n IdentityProviderAlias = oidcIdentityProvider.Alias,\n Role = \"my-realm-role\",\n ClaimName = \"my-claim\",\n ClaimValue = \"my-value\",\n ExtraConfig = \n {\n { \"syncMode\", \"INHERIT\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\toidcIdentityProvider, err := oidc.NewIdentityProvider(ctx, \"oidcIdentityProvider\", \u0026oidc.IdentityProviderArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tAlias: pulumi.String(\"oidc\"),\n\t\t\tAuthorizationUrl: pulumi.String(\"https://example.com/auth\"),\n\t\t\tTokenUrl: pulumi.String(\"https://example.com/token\"),\n\t\t\tClientId: pulumi.String(\"example_id\"),\n\t\t\tClientSecret: pulumi.String(\"example_token\"),\n\t\t\tDefaultScopes: pulumi.String(\"openid random profile\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"realmRole\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewAttributeToRoleIdentityMapper(ctx, \"oidcAttributeToRoleIdentityMapper\", \u0026keycloak.AttributeToRoleIdentityMapperArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tIdentityProviderAlias: oidcIdentityProvider.Alias,\n\t\t\tRole: pulumi.String(\"my-realm-role\"),\n\t\t\tClaimName: pulumi.String(\"my-claim\"),\n\t\t\tClaimValue: pulumi.String(\"my-value\"),\n\t\t\tExtraConfig: pulumi.Map{\n\t\t\t\t\"syncMode\": pulumi.Any(\"INHERIT\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.oidc.IdentityProvider;\nimport com.pulumi.keycloak.oidc.IdentityProviderArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.AttributeToRoleIdentityMapper;\nimport com.pulumi.keycloak.AttributeToRoleIdentityMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var oidcIdentityProvider = new IdentityProvider(\"oidcIdentityProvider\", IdentityProviderArgs.builder() \n .realm(realm.id())\n .alias(\"oidc\")\n .authorizationUrl(\"https://example.com/auth\")\n .tokenUrl(\"https://example.com/token\")\n .clientId(\"example_id\")\n .clientSecret(\"example_token\")\n .defaultScopes(\"openid random profile\")\n .build());\n\n var realmRole = new Role(\"realmRole\", RoleArgs.builder() \n .realmId(realm.id())\n .description(\"My Realm Role\")\n .build());\n\n var oidcAttributeToRoleIdentityMapper = new AttributeToRoleIdentityMapper(\"oidcAttributeToRoleIdentityMapper\", AttributeToRoleIdentityMapperArgs.builder() \n .realm(realm.id())\n .identityProviderAlias(oidcIdentityProvider.alias())\n .role(\"my-realm-role\")\n .claimName(\"my-claim\")\n .claimValue(\"my-value\")\n .extraConfig(Map.of(\"syncMode\", \"INHERIT\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n oidcIdentityProvider:\n type: keycloak:oidc:IdentityProvider\n properties:\n realm: ${realm.id}\n alias: oidc\n authorizationUrl: https://example.com/auth\n tokenUrl: https://example.com/token\n clientId: example_id\n clientSecret: example_token\n defaultScopes: openid random profile\n realmRole:\n type: keycloak:Role\n properties:\n realmId: ${realm.id}\n description: My Realm Role\n oidcAttributeToRoleIdentityMapper:\n type: keycloak:AttributeToRoleIdentityMapper\n properties:\n realm: ${realm.id}\n identityProviderAlias: ${oidcIdentityProvider.alias}\n role: my-realm-role\n claimName: my-claim\n claimValue: my-value\n # extra_config with syncMode is required in Keycloak 10+\n extraConfig:\n syncMode: INHERIT\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nIdentity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Examplebash\n\n```sh\n $ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b\n```\n\n ", "properties": { "attributeFriendlyName": { "type": "string", - "description": "Attribute Friendly Name\n" + "description": "Attribute Friendly Name. Conflicts with `attribute_name`.\n" }, "attributeName": { "type": "string", - "description": "Attribute Name\n" + "description": "Attribute Name.\n" }, "attributeValue": { "type": "string", - "description": "Attribute Value\n" + "description": "Attribute Value.\n" }, "claimName": { "type": "string", @@ -2312,23 +2313,24 @@ "type": "object", "additionalProperties": { "$ref": "pulumi.json#/Any" - } + }, + "description": "Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features.\n" }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n" + "description": "The alias of the associated identity provider.\n" }, "name": { "type": "string", - "description": "IDP Mapper Name\n" + "description": "The name of the mapper.\n" }, "realm": { "type": "string", - "description": "Realm Name\n" + "description": "The name of the realm.\n" }, "role": { "type": "string", - "description": "Role Name\n" + "description": "Role Name.\n" } }, "required": [ @@ -2340,15 +2342,15 @@ "inputProperties": { "attributeFriendlyName": { "type": "string", - "description": "Attribute Friendly Name\n" + "description": "Attribute Friendly Name. Conflicts with `attribute_name`.\n" }, "attributeName": { "type": "string", - "description": "Attribute Name\n" + "description": "Attribute Name.\n" }, "attributeValue": { "type": "string", - "description": "Attribute Value\n" + "description": "Attribute Value.\n" }, "claimName": { "type": "string", @@ -2362,26 +2364,27 @@ "type": "object", "additionalProperties": { "$ref": "pulumi.json#/Any" - } + }, + "description": "Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features.\n" }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The alias of the associated identity provider.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "The name of the mapper.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The name of the realm.\n", "willReplaceOnChanges": true }, "role": { "type": "string", - "description": "Role Name\n" + "description": "Role Name.\n" } }, "requiredInputs": [ @@ -2394,15 +2397,15 @@ "properties": { "attributeFriendlyName": { "type": "string", - "description": "Attribute Friendly Name\n" + "description": "Attribute Friendly Name. Conflicts with `attribute_name`.\n" }, "attributeName": { "type": "string", - "description": "Attribute Name\n" + "description": "Attribute Name.\n" }, "attributeValue": { "type": "string", - "description": "Attribute Value\n" + "description": "Attribute Value.\n" }, "claimName": { "type": "string", @@ -2416,26 +2419,27 @@ "type": "object", "additionalProperties": { "$ref": "pulumi.json#/Any" - } + }, + "description": "Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features.\n" }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The alias of the associated identity provider.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "The name of the mapper.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The name of the realm.\n", "willReplaceOnChanges": true }, "role": { "type": "string", - "description": "Role Name\n" + "description": "Role Name.\n" } }, "type": "object" @@ -3589,14 +3593,15 @@ } }, "keycloak:index/hardcodedAttributeIdentityProviderMapper:HardcodedAttributeIdentityProviderMapper": { + "description": "Allows for creating and managing hardcoded attribute mappers for Keycloak identity provider.\n\nThe identity provider hardcoded attribute mapper will set the specified value to the IDP attribute.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst oidcIdentityProvider = new keycloak.oidc.IdentityProvider(\"oidcIdentityProvider\", {\n realm: realm.id,\n alias: \"my-idp\",\n authorizationUrl: \"https://authorizationurl.com\",\n clientId: \"clientID\",\n clientSecret: \"clientSecret\",\n tokenUrl: \"https://tokenurl.com\",\n});\nconst oidcHardcodedAttributeIdentityProviderMapper = new keycloak.HardcodedAttributeIdentityProviderMapper(\"oidcHardcodedAttributeIdentityProviderMapper\", {\n realm: realm.id,\n identityProviderAlias: oidcIdentityProvider.alias,\n attributeName: \"attribute\",\n attributeValue: \"value\",\n userSession: true,\n extraConfig: {\n syncMode: \"INHERIT\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\noidc_identity_provider = keycloak.oidc.IdentityProvider(\"oidcIdentityProvider\",\n realm=realm.id,\n alias=\"my-idp\",\n authorization_url=\"https://authorizationurl.com\",\n client_id=\"clientID\",\n client_secret=\"clientSecret\",\n token_url=\"https://tokenurl.com\")\noidc_hardcoded_attribute_identity_provider_mapper = keycloak.HardcodedAttributeIdentityProviderMapper(\"oidcHardcodedAttributeIdentityProviderMapper\",\n realm=realm.id,\n identity_provider_alias=oidc_identity_provider.alias,\n attribute_name=\"attribute\",\n attribute_value=\"value\",\n user_session=True,\n extra_config={\n \"syncMode\": \"INHERIT\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var oidcIdentityProvider = new Keycloak.Oidc.IdentityProvider(\"oidcIdentityProvider\", new()\n {\n Realm = realm.Id,\n Alias = \"my-idp\",\n AuthorizationUrl = \"https://authorizationurl.com\",\n ClientId = \"clientID\",\n ClientSecret = \"clientSecret\",\n TokenUrl = \"https://tokenurl.com\",\n });\n\n var oidcHardcodedAttributeIdentityProviderMapper = new Keycloak.HardcodedAttributeIdentityProviderMapper(\"oidcHardcodedAttributeIdentityProviderMapper\", new()\n {\n Realm = realm.Id,\n IdentityProviderAlias = oidcIdentityProvider.Alias,\n AttributeName = \"attribute\",\n AttributeValue = \"value\",\n UserSession = true,\n ExtraConfig = \n {\n { \"syncMode\", \"INHERIT\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\toidcIdentityProvider, err := oidc.NewIdentityProvider(ctx, \"oidcIdentityProvider\", \u0026oidc.IdentityProviderArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tAlias: pulumi.String(\"my-idp\"),\n\t\t\tAuthorizationUrl: pulumi.String(\"https://authorizationurl.com\"),\n\t\t\tClientId: pulumi.String(\"clientID\"),\n\t\t\tClientSecret: pulumi.String(\"clientSecret\"),\n\t\t\tTokenUrl: pulumi.String(\"https://tokenurl.com\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewHardcodedAttributeIdentityProviderMapper(ctx, \"oidcHardcodedAttributeIdentityProviderMapper\", \u0026keycloak.HardcodedAttributeIdentityProviderMapperArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tIdentityProviderAlias: oidcIdentityProvider.Alias,\n\t\t\tAttributeName: pulumi.String(\"attribute\"),\n\t\t\tAttributeValue: pulumi.String(\"value\"),\n\t\t\tUserSession: pulumi.Bool(true),\n\t\t\tExtraConfig: pulumi.Map{\n\t\t\t\t\"syncMode\": pulumi.Any(\"INHERIT\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.oidc.IdentityProvider;\nimport com.pulumi.keycloak.oidc.IdentityProviderArgs;\nimport com.pulumi.keycloak.HardcodedAttributeIdentityProviderMapper;\nimport com.pulumi.keycloak.HardcodedAttributeIdentityProviderMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var oidcIdentityProvider = new IdentityProvider(\"oidcIdentityProvider\", IdentityProviderArgs.builder() \n .realm(realm.id())\n .alias(\"my-idp\")\n .authorizationUrl(\"https://authorizationurl.com\")\n .clientId(\"clientID\")\n .clientSecret(\"clientSecret\")\n .tokenUrl(\"https://tokenurl.com\")\n .build());\n\n var oidcHardcodedAttributeIdentityProviderMapper = new HardcodedAttributeIdentityProviderMapper(\"oidcHardcodedAttributeIdentityProviderMapper\", HardcodedAttributeIdentityProviderMapperArgs.builder() \n .realm(realm.id())\n .identityProviderAlias(oidcIdentityProvider.alias())\n .attributeName(\"attribute\")\n .attributeValue(\"value\")\n .userSession(true)\n .extraConfig(Map.of(\"syncMode\", \"INHERIT\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n oidcIdentityProvider:\n type: keycloak:oidc:IdentityProvider\n properties:\n realm: ${realm.id}\n alias: my-idp\n authorizationUrl: https://authorizationurl.com\n clientId: clientID\n clientSecret: clientSecret\n tokenUrl: https://tokenurl.com\n oidcHardcodedAttributeIdentityProviderMapper:\n type: keycloak:HardcodedAttributeIdentityProviderMapper\n properties:\n realm: ${realm.id}\n identityProviderAlias: ${oidcIdentityProvider.alias}\n attributeName: attribute\n attributeValue: value\n userSession: true\n extraConfig:\n syncMode: INHERIT\n```\n{{% /example %}}\n{{% /examples %}}", "properties": { "attributeName": { "type": "string", - "description": "OIDC Claim\n" + "description": "The name of the IDP attribute to set.\n" }, "attributeValue": { "type": "string", - "description": "User Attribute\n" + "description": "The value to set to the attribute. You can hardcode any value like 'foo'.\n" }, "extraConfig": { "type": "object", @@ -3606,19 +3611,19 @@ }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n" + "description": "The IDP alias of the attribute to set.\n" }, "name": { "type": "string", - "description": "IDP Mapper Name\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realm": { "type": "string", - "description": "Realm Name\n" + "description": "The realm ID that this mapper will exist in.\n" }, "userSession": { "type": "boolean", - "description": "Is Attribute Related To a User Session\n" + "description": "Is Attribute related to a User Session.\n" } }, "required": [ @@ -3630,11 +3635,11 @@ "inputProperties": { "attributeName": { "type": "string", - "description": "OIDC Claim\n" + "description": "The name of the IDP attribute to set.\n" }, "attributeValue": { "type": "string", - "description": "User Attribute\n" + "description": "The value to set to the attribute. You can hardcode any value like 'foo'.\n" }, "extraConfig": { "type": "object", @@ -3644,22 +3649,22 @@ }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The IDP alias of the attribute to set.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "Display name of this mapper when displayed in the console.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The realm ID that this mapper will exist in.\n", "willReplaceOnChanges": true }, "userSession": { "type": "boolean", - "description": "Is Attribute Related To a User Session\n", + "description": "Is Attribute related to a User Session.\n", "willReplaceOnChanges": true } }, @@ -3673,11 +3678,11 @@ "properties": { "attributeName": { "type": "string", - "description": "OIDC Claim\n" + "description": "The name of the IDP attribute to set.\n" }, "attributeValue": { "type": "string", - "description": "User Attribute\n" + "description": "The value to set to the attribute. You can hardcode any value like 'foo'.\n" }, "extraConfig": { "type": "object", @@ -3687,22 +3692,22 @@ }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The IDP alias of the attribute to set.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "Display name of this mapper when displayed in the console.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The realm ID that this mapper will exist in.\n", "willReplaceOnChanges": true }, "userSession": { "type": "boolean", - "description": "Is Attribute Related To a User Session\n", + "description": "Is Attribute related to a User Session.\n", "willReplaceOnChanges": true } }, @@ -3710,6 +3715,7 @@ } }, "keycloak:index/hardcodedRoleIdentityMapper:HardcodedRoleIdentityMapper": { + "description": "Allows for creating and managing hardcoded role mappers for Keycloak identity provider.\n\nThe identity provider hardcoded role mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst oidcIdentityProvider = new keycloak.oidc.IdentityProvider(\"oidcIdentityProvider\", {\n realm: realm.id,\n alias: \"my-idp\",\n authorizationUrl: \"https://authorizationurl.com\",\n clientId: \"clientID\",\n clientSecret: \"clientSecret\",\n tokenUrl: \"https://tokenurl.com\",\n});\nconst realmRole = new keycloak.Role(\"realmRole\", {\n realmId: realm.id,\n description: \"My Realm Role\",\n});\nconst oidcHardcodedRoleIdentityMapper = new keycloak.HardcodedRoleIdentityMapper(\"oidcHardcodedRoleIdentityMapper\", {\n realm: realm.id,\n identityProviderAlias: oidcIdentityProvider.alias,\n role: \"my-realm-role\",\n extraConfig: {\n syncMode: \"INHERIT\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\noidc_identity_provider = keycloak.oidc.IdentityProvider(\"oidcIdentityProvider\",\n realm=realm.id,\n alias=\"my-idp\",\n authorization_url=\"https://authorizationurl.com\",\n client_id=\"clientID\",\n client_secret=\"clientSecret\",\n token_url=\"https://tokenurl.com\")\nrealm_role = keycloak.Role(\"realmRole\",\n realm_id=realm.id,\n description=\"My Realm Role\")\noidc_hardcoded_role_identity_mapper = keycloak.HardcodedRoleIdentityMapper(\"oidcHardcodedRoleIdentityMapper\",\n realm=realm.id,\n identity_provider_alias=oidc_identity_provider.alias,\n role=\"my-realm-role\",\n extra_config={\n \"syncMode\": \"INHERIT\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var oidcIdentityProvider = new Keycloak.Oidc.IdentityProvider(\"oidcIdentityProvider\", new()\n {\n Realm = realm.Id,\n Alias = \"my-idp\",\n AuthorizationUrl = \"https://authorizationurl.com\",\n ClientId = \"clientID\",\n ClientSecret = \"clientSecret\",\n TokenUrl = \"https://tokenurl.com\",\n });\n\n var realmRole = new Keycloak.Role(\"realmRole\", new()\n {\n RealmId = realm.Id,\n Description = \"My Realm Role\",\n });\n\n var oidcHardcodedRoleIdentityMapper = new Keycloak.HardcodedRoleIdentityMapper(\"oidcHardcodedRoleIdentityMapper\", new()\n {\n Realm = realm.Id,\n IdentityProviderAlias = oidcIdentityProvider.Alias,\n Role = \"my-realm-role\",\n ExtraConfig = \n {\n { \"syncMode\", \"INHERIT\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\toidcIdentityProvider, err := oidc.NewIdentityProvider(ctx, \"oidcIdentityProvider\", \u0026oidc.IdentityProviderArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tAlias: pulumi.String(\"my-idp\"),\n\t\t\tAuthorizationUrl: pulumi.String(\"https://authorizationurl.com\"),\n\t\t\tClientId: pulumi.String(\"clientID\"),\n\t\t\tClientSecret: pulumi.String(\"clientSecret\"),\n\t\t\tTokenUrl: pulumi.String(\"https://tokenurl.com\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewRole(ctx, \"realmRole\", \u0026keycloak.RoleArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tDescription: pulumi.String(\"My Realm Role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = keycloak.NewHardcodedRoleIdentityMapper(ctx, \"oidcHardcodedRoleIdentityMapper\", \u0026keycloak.HardcodedRoleIdentityMapperArgs{\n\t\t\tRealm: realm.ID(),\n\t\t\tIdentityProviderAlias: oidcIdentityProvider.Alias,\n\t\t\tRole: pulumi.String(\"my-realm-role\"),\n\t\t\tExtraConfig: pulumi.Map{\n\t\t\t\t\"syncMode\": pulumi.Any(\"INHERIT\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.oidc.IdentityProvider;\nimport com.pulumi.keycloak.oidc.IdentityProviderArgs;\nimport com.pulumi.keycloak.Role;\nimport com.pulumi.keycloak.RoleArgs;\nimport com.pulumi.keycloak.HardcodedRoleIdentityMapper;\nimport com.pulumi.keycloak.HardcodedRoleIdentityMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var oidcIdentityProvider = new IdentityProvider(\"oidcIdentityProvider\", IdentityProviderArgs.builder() \n .realm(realm.id())\n .alias(\"my-idp\")\n .authorizationUrl(\"https://authorizationurl.com\")\n .clientId(\"clientID\")\n .clientSecret(\"clientSecret\")\n .tokenUrl(\"https://tokenurl.com\")\n .build());\n\n var realmRole = new Role(\"realmRole\", RoleArgs.builder() \n .realmId(realm.id())\n .description(\"My Realm Role\")\n .build());\n\n var oidcHardcodedRoleIdentityMapper = new HardcodedRoleIdentityMapper(\"oidcHardcodedRoleIdentityMapper\", HardcodedRoleIdentityMapperArgs.builder() \n .realm(realm.id())\n .identityProviderAlias(oidcIdentityProvider.alias())\n .role(\"my-realm-role\")\n .extraConfig(Map.of(\"syncMode\", \"INHERIT\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n oidcIdentityProvider:\n type: keycloak:oidc:IdentityProvider\n properties:\n realm: ${realm.id}\n alias: my-idp\n authorizationUrl: https://authorizationurl.com\n clientId: clientID\n clientSecret: clientSecret\n tokenUrl: https://tokenurl.com\n realmRole:\n type: keycloak:Role\n properties:\n realmId: ${realm.id}\n description: My Realm Role\n oidcHardcodedRoleIdentityMapper:\n type: keycloak:HardcodedRoleIdentityMapper\n properties:\n realm: ${realm.id}\n identityProviderAlias: ${oidcIdentityProvider.alias}\n role: my-realm-role\n extraConfig:\n syncMode: INHERIT\n```\n{{% /example %}}\n{{% /examples %}}", "properties": { "extraConfig": { "type": "object", @@ -3719,19 +3725,19 @@ }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n" + "description": "The IDP alias of the attribute to set.\n" }, "name": { "type": "string", - "description": "IDP Mapper Name\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realm": { "type": "string", - "description": "Realm Name\n" + "description": "The realm ID that this mapper will exist in.\n" }, "role": { "type": "string", - "description": "Role Name\n" + "description": "The name of the role which should be assigned to the users.\n" } }, "required": [ @@ -3748,22 +3754,22 @@ }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The IDP alias of the attribute to set.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "Display name of this mapper when displayed in the console.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The realm ID that this mapper will exist in.\n", "willReplaceOnChanges": true }, "role": { "type": "string", - "description": "Role Name\n" + "description": "The name of the role which should be assigned to the users.\n" } }, "requiredInputs": [ @@ -3781,22 +3787,22 @@ }, "identityProviderAlias": { "type": "string", - "description": "IDP Alias\n", + "description": "The IDP alias of the attribute to set.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "IDP Mapper Name\n", + "description": "Display name of this mapper when displayed in the console.\n", "willReplaceOnChanges": true }, "realm": { "type": "string", - "description": "Realm Name\n", + "description": "The realm ID that this mapper will exist in.\n", "willReplaceOnChanges": true }, "role": { "type": "string", - "description": "Role Name\n" + "description": "The name of the role which should be assigned to the users.\n" } }, "type": "object" @@ -6181,6 +6187,7 @@ } }, "keycloak:index/usersPermissions:UsersPermissions": { + "description": "{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.OpenidFunctions;\nimport com.pulumi.keycloak.openid.inputs.GetClientArgs;\nimport com.pulumi.keycloak.openid.ClientPermissions;\nimport com.pulumi.keycloak.openid.ClientPermissionsArgs;\nimport com.pulumi.keycloak.User;\nimport com.pulumi.keycloak.UserArgs;\nimport com.pulumi.keycloak.openid.ClientUserPolicy;\nimport com.pulumi.keycloak.openid.ClientUserPolicyArgs;\nimport com.pulumi.keycloak.UsersPermissions;\nimport com.pulumi.keycloak.UsersPermissionsArgs;\nimport com.pulumi.keycloak.inputs.UsersPermissionsViewScopeArgs;\nimport com.pulumi.keycloak.inputs.UsersPermissionsManageScopeArgs;\nimport com.pulumi.keycloak.inputs.UsersPermissionsMapRolesScopeArgs;\nimport com.pulumi.keycloak.inputs.UsersPermissionsManageGroupMembershipScopeArgs;\nimport com.pulumi.keycloak.inputs.UsersPermissionsImpersonateScopeArgs;\nimport com.pulumi.keycloak.inputs.UsersPermissionsUserImpersonatedScopeArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .build());\n\n final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"realm-management\")\n .build());\n\n var realmManagementPermission = new ClientPermissions(\"realmManagementPermission\", ClientPermissionsArgs.builder() \n .realmId(realm.id())\n .clientId(realmManagement.applyValue(getClientResult -\u003e getClientResult).applyValue(realmManagement -\u003e realmManagement.applyValue(getClientResult -\u003e getClientResult.id())))\n .enabled(true)\n .build());\n\n var testUser = new User(\"testUser\", UserArgs.builder() \n .realmId(realm.id())\n .username(\"test-user\")\n .email(\"test-user@fakedomain.com\")\n .firstName(\"Testy\")\n .lastName(\"Tester\")\n .build());\n\n var testClientUserPolicy = new ClientUserPolicy(\"testClientUserPolicy\", ClientUserPolicyArgs.builder() \n .realmId(realm.id())\n .resourceServerId(realmManagement.applyValue(getClientResult -\u003e getClientResult).applyValue(realmManagement -\u003e realmManagement.applyValue(getClientResult -\u003e getClientResult.id())))\n .users(testUser.id())\n .logic(\"POSITIVE\")\n .decisionStrategy(\"UNANIMOUS\")\n .build(), CustomResourceOptions.builder()\n .dependsOn(realmManagementPermission)\n .build());\n\n var usersPermissions = new UsersPermissions(\"usersPermissions\", UsersPermissionsArgs.builder() \n .realmId(realm.id())\n .viewScope(UsersPermissionsViewScopeArgs.builder()\n .policies(testClientUserPolicy.id())\n .description(\"description\")\n .decisionStrategy(\"UNANIMOUS\")\n .build())\n .manageScope(UsersPermissionsManageScopeArgs.builder()\n .policies(testClientUserPolicy.id())\n .description(\"description\")\n .decisionStrategy(\"UNANIMOUS\")\n .build())\n .mapRolesScope(UsersPermissionsMapRolesScopeArgs.builder()\n .policies(testClientUserPolicy.id())\n .description(\"description\")\n .decisionStrategy(\"UNANIMOUS\")\n .build())\n .manageGroupMembershipScope(UsersPermissionsManageGroupMembershipScopeArgs.builder()\n .policies(testClientUserPolicy.id())\n .description(\"description\")\n .decisionStrategy(\"UNANIMOUS\")\n .build())\n .impersonateScope(UsersPermissionsImpersonateScopeArgs.builder()\n .policies(testClientUserPolicy.id())\n .description(\"description\")\n .decisionStrategy(\"UNANIMOUS\")\n .build())\n .userImpersonatedScope(UsersPermissionsUserImpersonatedScopeArgs.builder()\n .policies(testClientUserPolicy.id())\n .description(\"description\")\n .decisionStrategy(\"UNANIMOUS\")\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n # enable permissions for realm-management client\n realmManagementPermission:\n type: keycloak:openid:ClientPermissions\n properties:\n realmId: ${realm.id}\n clientId: ${realmManagement.id}\n enabled: true\n # creating a user to use with the keycloak_openid_client_user_policy resource\n testUser:\n type: keycloak:User\n properties:\n realmId: ${realm.id}\n username: test-user\n email: test-user@fakedomain.com\n firstName: Testy\n lastName: Tester\n testClientUserPolicy:\n type: keycloak:openid:ClientUserPolicy\n properties:\n realmId: ${realm.id}\n resourceServerId: ${realmManagement.id}\n users:\n - ${testUser.id}\n logic: POSITIVE\n decisionStrategy: UNANIMOUS\n options:\n dependson:\n - ${realmManagementPermission}\n usersPermissions:\n type: keycloak:UsersPermissions\n properties:\n realmId: ${realm.id}\n viewScope:\n policies:\n - ${testClientUserPolicy.id}\n description: description\n decisionStrategy: UNANIMOUS\n manageScope:\n policies:\n - ${testClientUserPolicy.id}\n description: description\n decisionStrategy: UNANIMOUS\n mapRolesScope:\n policies:\n - ${testClientUserPolicy.id}\n description: description\n decisionStrategy: UNANIMOUS\n manageGroupMembershipScope:\n policies:\n - ${testClientUserPolicy.id}\n description: description\n decisionStrategy: UNANIMOUS\n impersonateScope:\n policies:\n - ${testClientUserPolicy.id}\n description: description\n decisionStrategy: UNANIMOUS\n userImpersonatedScope:\n policies:\n - ${testClientUserPolicy.id}\n description: description\n decisionStrategy: UNANIMOUS\nvariables:\n realmManagement:\n fn::invoke:\n Function: keycloak:openid:getClient\n Arguments:\n realmId: ${realm.id}\n clientId: realm-management\n```\n{{% /example %}}\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm in which to manage fine-grained user permissions.\n\nEach of the scopes that can be managed are defined below:\n\n- `view_scope` - (Optional) When specified, set the scope based view permission.\n- `manage_scope` - (Optional) When specified, set the scope based manage permission.\n- `map_roles_scope` - (Optional) When specified, set the scope based map_roles permission.\n- `manage_group_membership_scope` - (Optional) When specified, set the scope based manage_group_membership permission.\n- `impersonate_scope` - (Optional) When specified, set the scope based impersonate permission.\n- `user_impersonated_scope` - (Optional) When specified, set the scope based user_impersonated permission.\n\nThe configuration block for each of these scopes supports the following arguments:\n\n- `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID.\n- `description` - (Optional) Description of the permission.\n- `decision_strategy` - (Optional) Decision strategy of the permission.\n\n### Attributes Reference\n\nIn addition to the arguments listed above, the following computed attributes are exported:\n\n- `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`.\n- `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed.\n{{% /examples %}}", "properties": { "authorizationResourceServerId": { "type": "string", @@ -6745,22 +6752,23 @@ } }, "keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper": { + "description": "Allows for creating and managing hardcoded group mappers for Keycloak users federated via LDAP.\n\nThe LDAP hardcoded group mapper will grant a specified Keycloak group to each Keycloak user linked with LDAP.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst ldapUserFederation = new keycloak.ldap.UserFederation(\"ldapUserFederation\", {\n realmId: realm.id,\n usernameLdapAttribute: \"cn\",\n rdnLdapAttribute: \"cn\",\n uuidLdapAttribute: \"entryDN\",\n userObjectClasses: [\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connectionUrl: \"ldap://openldap\",\n usersDn: \"dc=example,dc=org\",\n bindDn: \"cn=admin,dc=example,dc=org\",\n bindCredential: \"admin\",\n});\nconst realmGroup = new keycloak.Group(\"realmGroup\", {realmId: realm.id});\nconst assignGroupToUsers = new keycloak.ldap.HardcodedGroupMapper(\"assignGroupToUsers\", {\n realmId: realm.id,\n ldapUserFederationId: ldapUserFederation.id,\n group: realmGroup.name,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nldap_user_federation = keycloak.ldap.UserFederation(\"ldapUserFederation\",\n realm_id=realm.id,\n username_ldap_attribute=\"cn\",\n rdn_ldap_attribute=\"cn\",\n uuid_ldap_attribute=\"entryDN\",\n user_object_classes=[\n \"simpleSecurityObject\",\n \"organizationalRole\",\n ],\n connection_url=\"ldap://openldap\",\n users_dn=\"dc=example,dc=org\",\n bind_dn=\"cn=admin,dc=example,dc=org\",\n bind_credential=\"admin\")\nrealm_group = keycloak.Group(\"realmGroup\", realm_id=realm.id)\nassign_group_to_users = keycloak.ldap.HardcodedGroupMapper(\"assignGroupToUsers\",\n realm_id=realm.id,\n ldap_user_federation_id=ldap_user_federation.id,\n group=realm_group.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var ldapUserFederation = new Keycloak.Ldap.UserFederation(\"ldapUserFederation\", new()\n {\n RealmId = realm.Id,\n UsernameLdapAttribute = \"cn\",\n RdnLdapAttribute = \"cn\",\n UuidLdapAttribute = \"entryDN\",\n UserObjectClasses = new[]\n {\n \"simpleSecurityObject\",\n \"organizationalRole\",\n },\n ConnectionUrl = \"ldap://openldap\",\n UsersDn = \"dc=example,dc=org\",\n BindDn = \"cn=admin,dc=example,dc=org\",\n BindCredential = \"admin\",\n });\n\n var realmGroup = new Keycloak.Group(\"realmGroup\", new()\n {\n RealmId = realm.Id,\n });\n\n var assignGroupToUsers = new Keycloak.Ldap.HardcodedGroupMapper(\"assignGroupToUsers\", new()\n {\n RealmId = realm.Id,\n LdapUserFederationId = ldapUserFederation.Id,\n Group = realmGroup.Name,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tldapUserFederation, err := ldap.NewUserFederation(ctx, \"ldapUserFederation\", \u0026ldap.UserFederationArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsernameLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tRdnLdapAttribute: pulumi.String(\"cn\"),\n\t\t\tUuidLdapAttribute: pulumi.String(\"entryDN\"),\n\t\t\tUserObjectClasses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"simpleSecurityObject\"),\n\t\t\t\tpulumi.String(\"organizationalRole\"),\n\t\t\t},\n\t\t\tConnectionUrl: pulumi.String(\"ldap://openldap\"),\n\t\t\tUsersDn: pulumi.String(\"dc=example,dc=org\"),\n\t\t\tBindDn: pulumi.String(\"cn=admin,dc=example,dc=org\"),\n\t\t\tBindCredential: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trealmGroup, err := keycloak.NewGroup(ctx, \"realmGroup\", \u0026keycloak.GroupArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewHardcodedGroupMapper(ctx, \"assignGroupToUsers\", \u0026ldap.HardcodedGroupMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tLdapUserFederationId: ldapUserFederation.ID(),\n\t\t\tGroup: realmGroup.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.ldap.UserFederation;\nimport com.pulumi.keycloak.ldap.UserFederationArgs;\nimport com.pulumi.keycloak.Group;\nimport com.pulumi.keycloak.GroupArgs;\nimport com.pulumi.keycloak.ldap.HardcodedGroupMapper;\nimport com.pulumi.keycloak.ldap.HardcodedGroupMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var ldapUserFederation = new UserFederation(\"ldapUserFederation\", UserFederationArgs.builder() \n .realmId(realm.id())\n .usernameLdapAttribute(\"cn\")\n .rdnLdapAttribute(\"cn\")\n .uuidLdapAttribute(\"entryDN\")\n .userObjectClasses( \n \"simpleSecurityObject\",\n \"organizationalRole\")\n .connectionUrl(\"ldap://openldap\")\n .usersDn(\"dc=example,dc=org\")\n .bindDn(\"cn=admin,dc=example,dc=org\")\n .bindCredential(\"admin\")\n .build());\n\n var realmGroup = new Group(\"realmGroup\", GroupArgs.builder() \n .realmId(realm.id())\n .build());\n\n var assignGroupToUsers = new HardcodedGroupMapper(\"assignGroupToUsers\", HardcodedGroupMapperArgs.builder() \n .realmId(realm.id())\n .ldapUserFederationId(ldapUserFederation.id())\n .group(realmGroup.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n ldapUserFederation:\n type: keycloak:ldap:UserFederation\n properties:\n realmId: ${realm.id}\n usernameLdapAttribute: cn\n rdnLdapAttribute: cn\n uuidLdapAttribute: entryDN\n userObjectClasses:\n - simpleSecurityObject\n - organizationalRole\n connectionUrl: ldap://openldap\n usersDn: dc=example,dc=org\n bindDn: cn=admin,dc=example,dc=org\n bindCredential: admin\n realmGroup:\n type: keycloak:Group\n properties:\n realmId: ${realm.id}\n assignGroupToUsers:\n type: keycloak:ldap:HardcodedGroupMapper\n properties:\n realmId: ${realm.id}\n ldapUserFederationId: ${ldapUserFederation.id}\n group: ${realmGroup.name}\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nLDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash\n\n```sh\n $ pulumi import keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper assign_group_to_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67\n```\n\n ", "properties": { "group": { "type": "string", - "description": "Group to grant to user.\n" + "description": "The name of the group which should be assigned to the users.\n" }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n" + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n" }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n" + "description": "The realm that this LDAP mapper will exist in.\n" } }, "required": [ @@ -6772,21 +6780,21 @@ "inputProperties": { "group": { "type": "string", - "description": "Group to grant to user.\n", + "description": "The name of the group which should be assigned to the users.\n", "willReplaceOnChanges": true }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true } }, @@ -6800,21 +6808,21 @@ "properties": { "group": { "type": "string", - "description": "Group to grant to user.\n", + "description": "The name of the group which should be assigned to the users.\n", "willReplaceOnChanges": true }, "ldapUserFederationId": { "type": "string", - "description": "The ldap user federation provider to attach this mapper to.\n", + "description": "The ID of the LDAP user federation provider to attach this mapper to.\n", "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Display name of the mapper when displayed in the console.\n" + "description": "Display name of this mapper when displayed in the console.\n" }, "realmId": { "type": "string", - "description": "The realm in which the ldap user federation provider exists.\n", + "description": "The realm that this LDAP mapper will exist in.\n", "willReplaceOnChanges": true } }, @@ -8716,8 +8724,8 @@ "type": "object" } }, - "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter": { - "description": "Allows for creating the \"Audience Resolve\" OIDC protocol mapper within Keycloak.\n\nThis protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles\nto imply which audiences are appropriate for the token. See the\n[Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n### Client)\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openidClient\", {\n realmId: realm.id,\n clientId: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst audienceMapper = new keycloak.openid.AudienceResolveProtocolMappter(\"audienceMapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openidClient\",\n realm_id=realm.id,\n client_id=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\naudience_mapper = keycloak.openid.AudienceResolveProtocolMappter(\"audienceMapper\",\n realm_id=realm.id,\n client_id=openid_client.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openidClient\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceResolveProtocolMappter(\"audienceMapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openidClient\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceResolveProtocolMappter(ctx, \"audienceMapper\", \u0026openid.AudienceResolveProtocolMappterArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.AudienceResolveProtocolMappter;\nimport com.pulumi.keycloak.openid.AudienceResolveProtocolMappterArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder() \n .realmId(realm.id())\n .clientId(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var audienceMapper = new AudienceResolveProtocolMappter(\"audienceMapper\", AudienceResolveProtocolMappterArgs.builder() \n .realmId(realm.id())\n .clientId(openidClient.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n audienceMapper:\n type: keycloak:openid:AudienceResolveProtocolMappter\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n```\n\n{{% /example %}}\n{{% example %}}\n### Client Scope)\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"clientScope\", {realmId: realm.id});\nconst audienceMapper = new keycloak.openid.AudienceProtocolMapper(\"audienceMapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"clientScope\", realm_id=realm.id)\naudience_mapper = keycloak.openid.AudienceProtocolMapper(\"audienceMapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"clientScope\", new()\n {\n RealmId = realm.Id,\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper(\"audienceMapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"clientScope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceProtocolMapper(ctx, \"audienceMapper\", \u0026openid.AudienceProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapper;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder() \n .realmId(realm.id())\n .build());\n\n var audienceMapper = new AudienceProtocolMapper(\"audienceMapper\", AudienceProtocolMapperArgs.builder() \n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n properties:\n realmId: ${realm.id}\n audienceMapper:\n type: keycloak:openid:AudienceProtocolMapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nProtocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash\n\n```sh\n $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n\n\n```sh\n $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n ", + "keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper": { + "description": "Allows for creating the \"Audience Resolve\" OIDC protocol mapper within Keycloak.\n\nThis protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles\nto imply which audiences are appropriate for the token. See the\n[Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n### Client)\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openidClient\", {\n realmId: realm.id,\n clientId: \"client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n});\nconst audienceMapper = new keycloak.openid.AudienceResolveProtocolMapper(\"audienceMapper\", {\n realmId: realm.id,\n clientId: openidClient.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openidClient\",\n realm_id=realm.id,\n client_id=\"client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"])\naudience_mapper = keycloak.openid.AudienceResolveProtocolMapper(\"audienceMapper\",\n realm_id=realm.id,\n client_id=openid_client.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openidClient\", new()\n {\n RealmId = realm.Id,\n ClientId = \"client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceResolveProtocolMapper(\"audienceMapper\", new()\n {\n RealmId = realm.Id,\n ClientId = openidClient.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topenidClient, err := openid.NewClient(ctx, \"openidClient\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceResolveProtocolMapper(ctx, \"audienceMapper\", \u0026openid.AudienceResolveProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: openidClient.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.AudienceResolveProtocolMapper;\nimport com.pulumi.keycloak.openid.AudienceResolveProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder() \n .realmId(realm.id())\n .clientId(\"client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .build());\n\n var audienceMapper = new AudienceResolveProtocolMapper(\"audienceMapper\", AudienceResolveProtocolMapperArgs.builder() \n .realmId(realm.id())\n .clientId(openidClient.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n audienceMapper:\n type: keycloak:openid:AudienceResolveProtocolMapper\n properties:\n realmId: ${realm.id}\n clientId: ${openidClient.id}\n```\n\n{{% /example %}}\n{{% example %}}\n### Client Scope)\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst clientScope = new keycloak.openid.ClientScope(\"clientScope\", {realmId: realm.id});\nconst audienceMapper = new keycloak.openid.AudienceProtocolMapper(\"audienceMapper\", {\n realmId: realm.id,\n clientScopeId: clientScope.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nclient_scope = keycloak.openid.ClientScope(\"clientScope\", realm_id=realm.id)\naudience_mapper = keycloak.openid.AudienceProtocolMapper(\"audienceMapper\",\n realm_id=realm.id,\n client_scope_id=client_scope.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var clientScope = new Keycloak.OpenId.ClientScope(\"clientScope\", new()\n {\n RealmId = realm.Id,\n });\n\n var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper(\"audienceMapper\", new()\n {\n RealmId = realm.Id,\n ClientScopeId = clientScope.Id,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tclientScope, err := openid.NewClientScope(ctx, \"clientScope\", \u0026openid.ClientScopeArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewAudienceProtocolMapper(ctx, \"audienceMapper\", \u0026openid.AudienceProtocolMapperArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientScopeId: clientScope.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.ClientScope;\nimport com.pulumi.keycloak.openid.ClientScopeArgs;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapper;\nimport com.pulumi.keycloak.openid.AudienceProtocolMapperArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var clientScope = new ClientScope(\"clientScope\", ClientScopeArgs.builder() \n .realmId(realm.id())\n .build());\n\n var audienceMapper = new AudienceProtocolMapper(\"audienceMapper\", AudienceProtocolMapperArgs.builder() \n .realmId(realm.id())\n .clientScopeId(clientScope.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n clientScope:\n type: keycloak:openid:ClientScope\n properties:\n realmId: ${realm.id}\n audienceMapper:\n type: keycloak:openid:AudienceProtocolMapper\n properties:\n realmId: ${realm.id}\n clientScopeId: ${clientScope.id}\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nProtocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash\n\n```sh\n $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n\n\n```sh\n $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4\n```\n\n ", "properties": { "clientId": { "type": "string", @@ -8766,7 +8774,7 @@ "realmId" ], "stateInputs": { - "description": "Input properties used for looking up and filtering AudienceResolveProtocolMappter resources.\n", + "description": "Input properties used for looking up and filtering AudienceResolveProtocolMapper resources.\n", "properties": { "clientId": { "type": "string", @@ -8790,7 +8798,88 @@ } }, "type": "object" - } + }, + "aliases": [ + { + "type": "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter" + } + ] + }, + "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter": { + "properties": { + "clientId": { + "type": "string", + "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n" + }, + "clientScopeId": { + "type": "string", + "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n" + }, + "name": { + "type": "string", + "description": "A human-friendly name that will appear in the Keycloak console.\n" + }, + "realmId": { + "type": "string", + "description": "The realm id where the associated client or client scope exists.\n" + } + }, + "required": [ + "name", + "realmId" + ], + "inputProperties": { + "clientId": { + "type": "string", + "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "willReplaceOnChanges": true + }, + "clientScopeId": { + "type": "string", + "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "willReplaceOnChanges": true + }, + "name": { + "type": "string", + "description": "A human-friendly name that will appear in the Keycloak console.\n", + "willReplaceOnChanges": true + }, + "realmId": { + "type": "string", + "description": "The realm id where the associated client or client scope exists.\n", + "willReplaceOnChanges": true + } + }, + "requiredInputs": [ + "realmId" + ], + "stateInputs": { + "description": "Input properties used for looking up and filtering AudienceResolveProtocolMappter resources.\n", + "properties": { + "clientId": { + "type": "string", + "description": "The mapper's associated client. Cannot be used at the same time as client_scope_id.\n", + "willReplaceOnChanges": true + }, + "clientScopeId": { + "type": "string", + "description": "The mapper's associated client scope. Cannot be used at the same time as client_id.\n", + "willReplaceOnChanges": true + }, + "name": { + "type": "string", + "description": "A human-friendly name that will appear in the Keycloak console.\n", + "willReplaceOnChanges": true + }, + "realmId": { + "type": "string", + "description": "The realm id where the associated client or client scope exists.\n", + "willReplaceOnChanges": true + } + }, + "type": "object" + }, + "deprecationMessage": "keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper" }, "keycloak:openid/client:Client": { "description": "Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.\n\nClients are entities that can use Keycloak for user authentication. Typically,\nclients are applications that redirect users to Keycloak for authentication\nin order to take advantage of Keycloak's user sessions for SSO.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst openidClient = new keycloak.openid.Client(\"openidClient\", {\n realmId: realm.id,\n clientId: \"test-client\",\n enabled: true,\n accessType: \"CONFIDENTIAL\",\n validRedirectUris: [\"http://localhost:8080/openid-callback\"],\n loginTheme: \"keycloak\",\n extraConfig: {\n key1: \"value1\",\n key2: \"value2\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\nopenid_client = keycloak.openid.Client(\"openidClient\",\n realm_id=realm.id,\n client_id=\"test-client\",\n enabled=True,\n access_type=\"CONFIDENTIAL\",\n valid_redirect_uris=[\"http://localhost:8080/openid-callback\"],\n login_theme=\"keycloak\",\n extra_config={\n \"key1\": \"value1\",\n \"key2\": \"value2\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var openidClient = new Keycloak.OpenId.Client(\"openidClient\", new()\n {\n RealmId = realm.Id,\n ClientId = \"test-client\",\n Enabled = true,\n AccessType = \"CONFIDENTIAL\",\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/openid-callback\",\n },\n LoginTheme = \"keycloak\",\n ExtraConfig = \n {\n { \"key1\", \"value1\" },\n { \"key2\", \"value2\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"my-realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"openidClient\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"test-client\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/openid-callback\"),\n\t\t\t},\n\t\t\tLoginTheme: pulumi.String(\"keycloak\"),\n\t\t\tExtraConfig: pulumi.Map{\n\t\t\t\t\"key1\": pulumi.Any(\"value1\"),\n\t\t\t\t\"key2\": pulumi.Any(\"value2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var openidClient = new Client(\"openidClient\", ClientArgs.builder() \n .realmId(realm.id())\n .clientId(\"test-client\")\n .enabled(true)\n .accessType(\"CONFIDENTIAL\")\n .validRedirectUris(\"http://localhost:8080/openid-callback\")\n .loginTheme(\"keycloak\")\n .extraConfig(Map.ofEntries(\n Map.entry(\"key1\", \"value1\"),\n Map.entry(\"key2\", \"value2\")\n ))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n openidClient:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: test-client\n enabled: true\n accessType: CONFIDENTIAL\n validRedirectUris:\n - http://localhost:8080/openid-callback\n loginTheme: keycloak\n extraConfig:\n key1: value1\n key2: value2\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nClients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Examplebash\n\n```sh\n $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352\n```\n\n ", @@ -9522,6 +9611,7 @@ } }, "keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission": { + "description": "## # keycloak.openid.ClientAuthorizationPermission\n\nAllows you to manage openid Client Authorization Permissions.\n\n### Example Usage\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {\n realm: \"my-realm\",\n enabled: true,\n});\nconst testClient = new keycloak.openid.Client(\"testClient\", {\n clientId: \"client_id\",\n realmId: realm.id,\n accessType: \"CONFIDENTIAL\",\n serviceAccountsEnabled: true,\n authorization: {\n policyEnforcementMode: \"ENFORCING\",\n },\n});\nconst default = keycloak.openid.getClientAuthorizationPolicyOutput({\n realmId: realm.id,\n resourceServerId: testClient.resourceServerId,\n name: \"default\",\n});\nconst testClientAuthorizationResource = new keycloak.openid.ClientAuthorizationResource(\"testClientAuthorizationResource\", {\n resourceServerId: testClient.resourceServerId,\n realmId: realm.id,\n uris: [\"/endpoint/*\"],\n});\nconst testClientAuthorizationScope = new keycloak.openid.ClientAuthorizationScope(\"testClientAuthorizationScope\", {\n resourceServerId: testClient.resourceServerId,\n realmId: realm.id,\n});\nconst testClientAuthorizationPermission = new keycloak.openid.ClientAuthorizationPermission(\"testClientAuthorizationPermission\", {\n resourceServerId: testClient.resourceServerId,\n realmId: realm.id,\n policies: [_default.apply(_default =\u003e _default.id)],\n resources: [testClientAuthorizationResource.id],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\",\n realm=\"my-realm\",\n enabled=True)\ntest_client = keycloak.openid.Client(\"testClient\",\n client_id=\"client_id\",\n realm_id=realm.id,\n access_type=\"CONFIDENTIAL\",\n service_accounts_enabled=True,\n authorization=keycloak.openid.ClientAuthorizationArgs(\n policy_enforcement_mode=\"ENFORCING\",\n ))\ndefault = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,\n resource_server_id=test_client.resource_server_id,\n name=\"default\")\ntest_client_authorization_resource = keycloak.openid.ClientAuthorizationResource(\"testClientAuthorizationResource\",\n resource_server_id=test_client.resource_server_id,\n realm_id=realm.id,\n uris=[\"/endpoint/*\"])\ntest_client_authorization_scope = keycloak.openid.ClientAuthorizationScope(\"testClientAuthorizationScope\",\n resource_server_id=test_client.resource_server_id,\n realm_id=realm.id)\ntest_client_authorization_permission = keycloak.openid.ClientAuthorizationPermission(\"testClientAuthorizationPermission\",\n resource_server_id=test_client.resource_server_id,\n realm_id=realm.id,\n policies=[default.id],\n resources=[test_client_authorization_resource.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"my-realm\",\n Enabled = true,\n });\n\n var testClient = new Keycloak.OpenId.Client(\"testClient\", new()\n {\n ClientId = \"client_id\",\n RealmId = realm.Id,\n AccessType = \"CONFIDENTIAL\",\n ServiceAccountsEnabled = true,\n Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs\n {\n PolicyEnforcementMode = \"ENFORCING\",\n },\n });\n\n var @default = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new()\n {\n RealmId = realm.Id,\n ResourceServerId = testClient.ResourceServerId,\n Name = \"default\",\n });\n\n var testClientAuthorizationResource = new Keycloak.OpenId.ClientAuthorizationResource(\"testClientAuthorizationResource\", new()\n {\n ResourceServerId = testClient.ResourceServerId,\n RealmId = realm.Id,\n Uris = new[]\n {\n \"/endpoint/*\",\n },\n });\n\n var testClientAuthorizationScope = new Keycloak.OpenId.ClientAuthorizationScope(\"testClientAuthorizationScope\", new()\n {\n ResourceServerId = testClient.ResourceServerId,\n RealmId = realm.Id,\n });\n\n var testClientAuthorizationPermission = new Keycloak.OpenId.ClientAuthorizationPermission(\"testClientAuthorizationPermission\", new()\n {\n ResourceServerId = testClient.ResourceServerId,\n RealmId = realm.Id,\n Policies = new[]\n {\n @default.Apply(@default =\u003e @default.Apply(getClientAuthorizationPolicyResult =\u003e getClientAuthorizationPolicyResult.Id)),\n },\n Resources = new[]\n {\n testClientAuthorizationResource.Id,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\nfunc main() {\npulumi.Run(func(ctx *pulumi.Context) error {\nrealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\nRealm: pulumi.String(\"my-realm\"),\nEnabled: pulumi.Bool(true),\n})\nif err != nil {\nreturn err\n}\ntestClient, err := openid.NewClient(ctx, \"testClient\", \u0026openid.ClientArgs{\nClientId: pulumi.String(\"client_id\"),\nRealmId: realm.ID(),\nAccessType: pulumi.String(\"CONFIDENTIAL\"),\nServiceAccountsEnabled: pulumi.Bool(true),\nAuthorization: \u0026openid.ClientAuthorizationArgs{\nPolicyEnforcementMode: pulumi.String(\"ENFORCING\"),\n},\n})\nif err != nil {\nreturn err\n}\n_default := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{\nRealmId: realm.ID(),\nResourceServerId: testClient.ResourceServerId,\nName: pulumi.String(\"default\"),\n}, nil);\ntestClientAuthorizationResource, err := openid.NewClientAuthorizationResource(ctx, \"testClientAuthorizationResource\", \u0026openid.ClientAuthorizationResourceArgs{\nResourceServerId: testClient.ResourceServerId,\nRealmId: realm.ID(),\nUris: pulumi.StringArray{\npulumi.String(\"/endpoint/*\"),\n},\n})\nif err != nil {\nreturn err\n}\n_, err = openid.NewClientAuthorizationScope(ctx, \"testClientAuthorizationScope\", \u0026openid.ClientAuthorizationScopeArgs{\nResourceServerId: testClient.ResourceServerId,\nRealmId: realm.ID(),\n})\nif err != nil {\nreturn err\n}\n_, err = openid.NewClientAuthorizationPermission(ctx, \"testClientAuthorizationPermission\", \u0026openid.ClientAuthorizationPermissionArgs{\nResourceServerId: testClient.ResourceServerId,\nRealmId: realm.ID(),\nPolicies: pulumi.StringArray{\n_default.ApplyT(func(_default openid.GetClientAuthorizationPolicyResult) (*string, error) {\nreturn \u0026default.Id, nil\n}).(pulumi.StringPtrOutput),\n},\nResources: pulumi.StringArray{\ntestClientAuthorizationResource.ID(),\n},\n})\nif err != nil {\nreturn err\n}\nreturn nil\n})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;\nimport com.pulumi.keycloak.openid.OpenidFunctions;\nimport com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;\nimport com.pulumi.keycloak.openid.ClientAuthorizationResource;\nimport com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;\nimport com.pulumi.keycloak.openid.ClientAuthorizationScope;\nimport com.pulumi.keycloak.openid.ClientAuthorizationScopeArgs;\nimport com.pulumi.keycloak.openid.ClientAuthorizationPermission;\nimport com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"my-realm\")\n .enabled(true)\n .build());\n\n var testClient = new Client(\"testClient\", ClientArgs.builder() \n .clientId(\"client_id\")\n .realmId(realm.id())\n .accessType(\"CONFIDENTIAL\")\n .serviceAccountsEnabled(true)\n .authorization(ClientAuthorizationArgs.builder()\n .policyEnforcementMode(\"ENFORCING\")\n .build())\n .build());\n\n final var default = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()\n .realmId(realm.id())\n .resourceServerId(testClient.resourceServerId())\n .name(\"default\")\n .build());\n\n var testClientAuthorizationResource = new ClientAuthorizationResource(\"testClientAuthorizationResource\", ClientAuthorizationResourceArgs.builder() \n .resourceServerId(testClient.resourceServerId())\n .realmId(realm.id())\n .uris(\"/endpoint/*\")\n .build());\n\n var testClientAuthorizationScope = new ClientAuthorizationScope(\"testClientAuthorizationScope\", ClientAuthorizationScopeArgs.builder() \n .resourceServerId(testClient.resourceServerId())\n .realmId(realm.id())\n .build());\n\n var testClientAuthorizationPermission = new ClientAuthorizationPermission(\"testClientAuthorizationPermission\", ClientAuthorizationPermissionArgs.builder() \n .resourceServerId(testClient.resourceServerId())\n .realmId(realm.id())\n .policies(default_.applyValue(default_ -\u003e default_.id()))\n .resources(testClientAuthorizationResource.id())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: my-realm\n enabled: true\n testClient:\n type: keycloak:openid:Client\n properties:\n clientId: client_id\n realmId: ${realm.id}\n accessType: CONFIDENTIAL\n serviceAccountsEnabled: true\n authorization:\n policyEnforcementMode: ENFORCING\n testClientAuthorizationResource:\n type: keycloak:openid:ClientAuthorizationResource\n properties:\n resourceServerId: ${testClient.resourceServerId}\n realmId: ${realm.id}\n uris:\n - /endpoint/*\n testClientAuthorizationScope:\n type: keycloak:openid:ClientAuthorizationScope\n properties:\n resourceServerId: ${testClient.resourceServerId}\n realmId: ${realm.id}\n testClientAuthorizationPermission:\n type: keycloak:openid:ClientAuthorizationPermission\n properties:\n resourceServerId: ${testClient.resourceServerId}\n realmId: ${realm.id}\n policies:\n - ${default.id}\n resources:\n - ${testClientAuthorizationResource.id}\nvariables:\n default:\n fn::invoke:\n Function: keycloak:openid:getClientAuthorizationPolicy\n Arguments:\n realmId: ${realm.id}\n resourceServerId: ${testClient.resourceServerId}\n name: default\n```\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this group exists in.\n- `resource_server_id` - (Required) The ID of the resource server.\n- `name` - (Required) The name of the permission.\n- `description` - (Optional) A description for the authorization permission.\n- `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`.\n- `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission.\n- `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resource_type`.\n- `resource_type` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`.\n- `scopes` - (Optional) A list of scope IDs that this permission must be applied to.\n- `type` - (Optional) The type of permission, can be one of `resource` or `scope`.\n\n### Attributes Reference\n\nIn addition to the arguments listed above, the following computed attributes are exported:\n\n- `id` - Permission ID representing the permission.\n\n\n## Import\n\nClient authorization permissions can be imported using the format`{{realmId}}/{{resourceServerId}}/{{permissionId}}`. Examplebash\n\n```sh\n $ pulumi import keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9\n```\n\n ", "properties": { "decisionStrategy": { "type": "string" @@ -10223,6 +10313,7 @@ } }, "keycloak:openid/clientPermissions:ClientPermissions": { + "description": "## # keycloak.openid.ClientPermissions\n\nAllows you to manage all openid client Scope Based Permissions.\n\nThis is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More\ninformation about enabling the preview feature can be found\nhere: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange\n\nWhen enabling Openid Client Permissions, Keycloak does several things automatically:\n\n1. Enable Authorization on build-in realm-management client\n1. Create scopes \"view\", \"manage\", \"configure\", \"map-roles\", \"map-roles-client-scope\", \"map-roles-composite\", \"\n token-exchange\"\n1. Create a resource representing the openid client\n1. Create all scope based permission for the scopes and openid client resource\n\nIf the realm-management Authorization is not enable, you have to ceate a dependency (`depends_on`) with the policy and\nthe openid client.\n\n### Example Usage\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst realm = new keycloak.Realm(\"realm\", {realm: \"realm\"});\nconst myOpenidClient = new keycloak.openid.Client(\"myOpenidClient\", {\n realmId: realm.id,\n clientId: \"my_openid_client\",\n clientSecret: \"secret\",\n accessType: \"CONFIDENTIAL\",\n standardFlowEnabled: true,\n validRedirectUris: [\"http://localhost:8080/*\"],\n});\nconst realmManagement = keycloak.openid.getClientOutput({\n realmId: realm.id,\n clientId: \"realm-management\",\n});\nconst testUser = new keycloak.User(\"testUser\", {\n realmId: realm.id,\n username: \"test-user\",\n email: \"test-user@fakedomain.com\",\n firstName: \"Testy\",\n lastName: \"Tester\",\n});\nconst testClientUserPolicy = new keycloak.openid.ClientUserPolicy(\"testClientUserPolicy\", {\n resourceServerId: realmManagement.apply(realmManagement =\u003e realmManagement.id),\n realmId: realm.id,\n users: [testUser.id],\n logic: \"POSITIVE\",\n decisionStrategy: \"UNANIMOUS\",\n}, {\n dependsOn: [myOpenidClient],\n});\nconst myPermission = new keycloak.openid.ClientPermissions(\"myPermission\", {\n realmId: realm.id,\n clientId: myOpenidClient.id,\n viewScope: {\n policies: [testClientUserPolicy.id],\n description: \"my description\",\n decisionStrategy: \"UNANIMOUS\",\n },\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\nrealm = keycloak.Realm(\"realm\", realm=\"realm\")\nmy_openid_client = keycloak.openid.Client(\"myOpenidClient\",\n realm_id=realm.id,\n client_id=\"my_openid_client\",\n client_secret=\"secret\",\n access_type=\"CONFIDENTIAL\",\n standard_flow_enabled=True,\n valid_redirect_uris=[\"http://localhost:8080/*\"])\nrealm_management = keycloak.openid.get_client_output(realm_id=realm.id,\n client_id=\"realm-management\")\ntest_user = keycloak.User(\"testUser\",\n realm_id=realm.id,\n username=\"test-user\",\n email=\"test-user@fakedomain.com\",\n first_name=\"Testy\",\n last_name=\"Tester\")\ntest_client_user_policy = keycloak.openid.ClientUserPolicy(\"testClientUserPolicy\",\n resource_server_id=realm_management.id,\n realm_id=realm.id,\n users=[test_user.id],\n logic=\"POSITIVE\",\n decision_strategy=\"UNANIMOUS\",\n opts=pulumi.ResourceOptions(depends_on=[my_openid_client]))\nmy_permission = keycloak.openid.ClientPermissions(\"myPermission\",\n realm_id=realm.id,\n client_id=my_openid_client.id,\n view_scope=keycloak.openid.ClientPermissionsViewScopeArgs(\n policies=[test_client_user_policy.id],\n description=\"my description\",\n decision_strategy=\"UNANIMOUS\",\n ))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var realm = new Keycloak.Realm(\"realm\", new()\n {\n RealmName = \"realm\",\n });\n\n var myOpenidClient = new Keycloak.OpenId.Client(\"myOpenidClient\", new()\n {\n RealmId = realm.Id,\n ClientId = \"my_openid_client\",\n ClientSecret = \"secret\",\n AccessType = \"CONFIDENTIAL\",\n StandardFlowEnabled = true,\n ValidRedirectUris = new[]\n {\n \"http://localhost:8080/*\",\n },\n });\n\n var realmManagement = Keycloak.OpenId.GetClient.Invoke(new()\n {\n RealmId = realm.Id,\n ClientId = \"realm-management\",\n });\n\n var testUser = new Keycloak.User(\"testUser\", new()\n {\n RealmId = realm.Id,\n Username = \"test-user\",\n Email = \"test-user@fakedomain.com\",\n FirstName = \"Testy\",\n LastName = \"Tester\",\n });\n\n var testClientUserPolicy = new Keycloak.OpenId.ClientUserPolicy(\"testClientUserPolicy\", new()\n {\n ResourceServerId = realmManagement.Apply(getClientResult =\u003e getClientResult.Id),\n RealmId = realm.Id,\n Users = new[]\n {\n testUser.Id,\n },\n Logic = \"POSITIVE\",\n DecisionStrategy = \"UNANIMOUS\",\n }, new CustomResourceOptions\n {\n DependsOn = new[]\n {\n myOpenidClient,\n },\n });\n\n var myPermission = new Keycloak.OpenId.ClientPermissions(\"myPermission\", new()\n {\n RealmId = realm.Id,\n ClientId = myOpenidClient.Id,\n ViewScope = new Keycloak.OpenId.Inputs.ClientPermissionsViewScopeArgs\n {\n Policies = new[]\n {\n testClientUserPolicy.Id,\n },\n Description = \"my description\",\n DecisionStrategy = \"UNANIMOUS\",\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trealm, err := keycloak.NewRealm(ctx, \"realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm: pulumi.String(\"realm\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmyOpenidClient, err := openid.NewClient(ctx, \"myOpenidClient\", \u0026openid.ClientArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"my_openid_client\"),\n\t\t\tClientSecret: pulumi.String(\"secret\"),\n\t\t\tAccessType: pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tStandardFlowEnabled: pulumi.Bool(true),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/*\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trealmManagement := openid.LookupClientOutput(ctx, openid.GetClientOutputArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: pulumi.String(\"realm-management\"),\n\t\t}, nil)\n\t\ttestUser, err := keycloak.NewUser(ctx, \"testUser\", \u0026keycloak.UserArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsername: pulumi.String(\"test-user\"),\n\t\t\tEmail: pulumi.String(\"test-user@fakedomain.com\"),\n\t\t\tFirstName: pulumi.String(\"Testy\"),\n\t\t\tLastName: pulumi.String(\"Tester\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttestClientUserPolicy, err := openid.NewClientUserPolicy(ctx, \"testClientUserPolicy\", \u0026openid.ClientUserPolicyArgs{\n\t\t\tResourceServerId: realmManagement.ApplyT(func(realmManagement openid.GetClientResult) (*string, error) {\n\t\t\t\treturn \u0026realmManagement.Id, nil\n\t\t\t}).(pulumi.StringPtrOutput),\n\t\t\tRealmId: realm.ID(),\n\t\t\tUsers: pulumi.StringArray{\n\t\t\t\ttestUser.ID(),\n\t\t\t},\n\t\t\tLogic: pulumi.String(\"POSITIVE\"),\n\t\t\tDecisionStrategy: pulumi.String(\"UNANIMOUS\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tmyOpenidClient,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClientPermissions(ctx, \"myPermission\", \u0026openid.ClientPermissionsArgs{\n\t\t\tRealmId: realm.ID(),\n\t\t\tClientId: myOpenidClient.ID(),\n\t\t\tViewScope: \u0026openid.ClientPermissionsViewScopeArgs{\n\t\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\t\ttestClientUserPolicy.ID(),\n\t\t\t\t},\n\t\t\t\tDescription: pulumi.String(\"my description\"),\n\t\t\t\tDecisionStrategy: pulumi.String(\"UNANIMOUS\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.openid.OpenidFunctions;\nimport com.pulumi.keycloak.openid.inputs.GetClientArgs;\nimport com.pulumi.keycloak.User;\nimport com.pulumi.keycloak.UserArgs;\nimport com.pulumi.keycloak.openid.ClientUserPolicy;\nimport com.pulumi.keycloak.openid.ClientUserPolicyArgs;\nimport com.pulumi.keycloak.openid.ClientPermissions;\nimport com.pulumi.keycloak.openid.ClientPermissionsArgs;\nimport com.pulumi.keycloak.openid.inputs.ClientPermissionsViewScopeArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var realm = new Realm(\"realm\", RealmArgs.builder() \n .realm(\"realm\")\n .build());\n\n var myOpenidClient = new Client(\"myOpenidClient\", ClientArgs.builder() \n .realmId(realm.id())\n .clientId(\"my_openid_client\")\n .clientSecret(\"secret\")\n .accessType(\"CONFIDENTIAL\")\n .standardFlowEnabled(true)\n .validRedirectUris(\"http://localhost:8080/*\")\n .build());\n\n final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()\n .realmId(realm.id())\n .clientId(\"realm-management\")\n .build());\n\n var testUser = new User(\"testUser\", UserArgs.builder() \n .realmId(realm.id())\n .username(\"test-user\")\n .email(\"test-user@fakedomain.com\")\n .firstName(\"Testy\")\n .lastName(\"Tester\")\n .build());\n\n var testClientUserPolicy = new ClientUserPolicy(\"testClientUserPolicy\", ClientUserPolicyArgs.builder() \n .resourceServerId(realmManagement.applyValue(getClientResult -\u003e getClientResult).applyValue(realmManagement -\u003e realmManagement.applyValue(getClientResult -\u003e getClientResult.id())))\n .realmId(realm.id())\n .users(testUser.id())\n .logic(\"POSITIVE\")\n .decisionStrategy(\"UNANIMOUS\")\n .build(), CustomResourceOptions.builder()\n .dependsOn(myOpenidClient)\n .build());\n\n var myPermission = new ClientPermissions(\"myPermission\", ClientPermissionsArgs.builder() \n .realmId(realm.id())\n .clientId(myOpenidClient.id())\n .viewScope(ClientPermissionsViewScopeArgs.builder()\n .policies(testClientUserPolicy.id())\n .description(\"my description\")\n .decisionStrategy(\"UNANIMOUS\")\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n realm:\n type: keycloak:Realm\n properties:\n realm: realm\n myOpenidClient:\n type: keycloak:openid:Client\n properties:\n realmId: ${realm.id}\n clientId: my_openid_client\n clientSecret: secret\n accessType: CONFIDENTIAL\n standardFlowEnabled: true\n validRedirectUris:\n - http://localhost:8080/*\n testUser:\n type: keycloak:User\n properties:\n realmId: ${realm.id}\n username: test-user\n email: test-user@fakedomain.com\n firstName: Testy\n lastName: Tester\n testClientUserPolicy:\n type: keycloak:openid:ClientUserPolicy\n properties:\n resourceServerId: ${realmManagement.id}\n realmId: ${realm.id}\n users:\n - ${testUser.id}\n logic: POSITIVE\n decisionStrategy: UNANIMOUS\n options:\n dependson:\n - ${myOpenidClient}\n myPermission:\n type: keycloak:openid:ClientPermissions\n properties:\n realmId: ${realm.id}\n clientId: ${myOpenidClient.id}\n viewScope:\n policies:\n - ${testClientUserPolicy.id}\n description: my description\n decisionStrategy: UNANIMOUS\nvariables:\n realmManagement:\n fn::invoke:\n Function: keycloak:openid:getClient\n Arguments:\n realmId: ${realm.id}\n clientId: realm-management\n```\n\n### Argument Reference\n\nThe following arguments are supported:\n\n- `realm_id` - (Required) The realm this group exists in.\n- `client_id` - (Required) The id of the client that provides the role.\n\n#### Permission Scopes\n\nPermission scopes can be defined using the following attributes:\n\n- `view_scope`\n- `manage_scope`\n- `configure_scope`\n- `map_roles_scope`\n- `map_roles_client_scope_scope`\n- `map_roles_composite_scope`\n- `token_exchange_scope`\n\nEach of these attributes have the following schema:\n\n- `policies` - (Optional) A list of policy IDs\n- `description` - (Optional) A description for the permission scope\n- `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`.\n\n### Attributes Reference\n\nIn addition to the arguments listed above, the following computed attributes are exported:\n\n- `authorization_resource_server_id` - Resource server id representing the realm management client on which this\n permission is managed.\n", "properties": { "authorizationResourceServerId": { "type": "string", diff --git a/provider/go.mod b/provider/go.mod index 65cc684f..f7646ed2 100644 --- a/provider/go.mod +++ b/provider/go.mod @@ -5,7 +5,7 @@ go 1.21 replace ( github.com/hashicorp/terraform-plugin-sdk/v2 => github.com/pulumi/terraform-plugin-sdk/v2 v2.0.0-20230912190043-e6d96b3b8f7e github.com/hashicorp/vault => github.com/hashicorp/vault v1.2.0 - github.com/mrparkers/terraform-provider-keycloak => github.com/pulumi/terraform-provider-keycloak v0.0.0-20230627215010-59381e0aea4c + github.com/mrparkers/terraform-provider-keycloak => ../upstream ) require ( diff --git a/provider/resources.go b/provider/resources.go index d2667700..feda19cc 100644 --- a/provider/resources.go +++ b/provider/resources.go @@ -16,18 +16,18 @@ package keycloak import ( "fmt" - tfbridgetokens "github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge/tokens" - "path/filepath" + "path" "strings" - "unicode" // embed is used to store bridge-metadata.json in the compiled binary _ "embed" "github.com/mrparkers/terraform-provider-keycloak/provider" - "github.com/pulumi/pulumi-keycloak/provider/v5/pkg/version" "github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge" + tks "github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge/tokens" shimv2 "github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfshim/sdk-v2" "github.com/pulumi/pulumi/sdk/v3/go/common/tokens" + + "github.com/pulumi/pulumi-keycloak/provider/v5/pkg/version" ) // all of the token components used below. @@ -35,37 +35,25 @@ const ( // packages: mainPkg = "keycloak" // modules: - mainMod = "index" // the y module - ldapMod = "Ldap" // the ldap module - oidcMod = "Oidc" // the oidc module - openIDMod = "OpenId" // the openid module - samlMod = "Saml" // the Saml module - authenticationMod = "Authentication" // the Authentication module + mainMod = "index" // the main module + openIDMod = "OpenId" // the openid module + samlMod = "Saml" // the Saml module ) -// makeMember manufactures a type token for the package and the given module and type. -func makeMember(mod string, mem string) tokens.ModuleMember { - moduleName := strings.ToLower(mod) - fn := string(unicode.ToLower(rune(mem[0]))) + mem[1:] - token := moduleName + "/" + fn - return tokens.ModuleMember(mainPkg + ":" + token + ":" + mem) -} - -func makeType(mod string, typ string) tokens.Type { - return tokens.Type(makeMember(mod, typ)) -} - func makeDataSource(mod string, res string) tokens.ModuleMember { - return makeMember(mod, res) + mod = strings.ToLower(mod) + return tfbridge.MakeDataSource(mainPkg, mod, res) } func makeResource(mod string, res string) tokens.Type { - return makeType(mod, res) + mod = strings.ToLower(mod) + return tfbridge.MakeResource(mainPkg, mod, res) } -func refProviderLicense(license tfbridge.TFProviderLicense) *tfbridge.TFProviderLicense { - return &license -} +func ref[T any](t T) *T { return &t } + +//go:embed cmd/pulumi-resource-keycloak/bridge-metadata.json +var metadata []byte // Provider returns additional overlaid schema and metadata associated with the provider.. func Provider() tfbridge.ProviderInfo { @@ -82,7 +70,11 @@ func Provider() tfbridge.ProviderInfo { License: "Apache-2.0", Homepage: "https://pulumi.io", Repository: "https://github.com/pulumi/pulumi-keycloak", - TFProviderLicense: refProviderLicense(tfbridge.MITLicenseType), + TFProviderLicense: ref(tfbridge.MITLicenseType), + MetadataInfo: tfbridge.NewProviderMetadata(metadata), + UpstreamRepoPath: "./upstream", + Version: version.Version, + Config: map[string]*tfbridge.SchemaInfo{ "client_timeout": { Default: &tfbridge.DefaultInfo{ @@ -92,233 +84,76 @@ func Provider() tfbridge.ProviderInfo { }, }, Resources: map[string]*tfbridge.ResourceInfo{ - "keycloak_attribute_importer_identity_provider_mapper": { - Tok: makeResource(mainMod, "AttributeImporterIdentityProviderMapper"), - }, "keycloak_attribute_to_role_identity_provider_mapper": { - Tok: makeResource(mainMod, "AttributeToRoleIdentityMapper"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Tok: makeResource(mainMod, "AttributeToRoleIdentityMapper"), + Docs: &tfbridge.DocInfo{AllowMissing: true}, + }, + "keycloak_custom_identity_provider_mapper": { + Tok: makeResource(mainMod, "CustomIdentityProviderMapping"), }, - "keycloak_custom_user_federation": {Tok: makeResource(mainMod, "CustomUserFederation")}, - "keycloak_custom_identity_provider_mapper": {Tok: makeResource(mainMod, "CustomIdentityProviderMapping")}, - "keycloak_default_groups": {Tok: makeResource(mainMod, "DefaultGroups")}, "keycloak_default_roles": { - Tok: makeResource(mainMod, "DefaultRoles"), Fields: map[string]*tfbridge.SchemaInfo{ "default_roles": { CSharpName: "RoleNames", }, }, }, - "keycloak_generic_client_protocol_mapper": {Tok: makeResource(mainMod, "GenericClientProtocolMapper")}, - "keycloak_group": {Tok: makeResource(mainMod, "Group")}, - "keycloak_group_memberships": {Tok: makeResource(mainMod, "GroupMemberships")}, - "keycloak_group_permissions": {Tok: makeResource(mainMod, "GroupPermissions")}, - "keycloak_group_roles": {Tok: makeResource(mainMod, "GroupRoles")}, "keycloak_hardcoded_attribute_identity_provider_mapper": { - Tok: makeResource(mainMod, "HardcodedAttributeIdentityProviderMapper"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Tok: makeResource(mainMod, "HardcodedAttributeIdentityProviderMapper"), + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_hardcoded_role_identity_provider_mapper": { - Tok: makeResource(mainMod, "HardcodedRoleIdentityMapper"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Tok: makeResource(mainMod, "HardcodedRoleIdentityMapper"), + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_realm": { - Tok: makeResource(mainMod, "Realm"), Fields: map[string]*tfbridge.SchemaInfo{ - "realm": { - CSharpName: "RealmName", - }, + "realm": {CSharpName: "RealmName"}, }, }, - "keycloak_required_action": {Tok: makeResource(mainMod, "RequiredAction")}, - "keycloak_role": {Tok: makeResource(mainMod, "Role")}, - "keycloak_user": {Tok: makeResource(mainMod, "User")}, - "keycloak_user_roles": {Tok: makeResource(mainMod, "UserRoles")}, - "keycloak_user_groups": {Tok: makeResource(mainMod, "UserGroups")}, "keycloak_users_permissions": { - Tok: makeResource(mainMod, "UsersPermissions"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, - }, - "keycloak_user_template_importer_identity_provider_mapper": { - Tok: makeResource(mainMod, "UserTemplateImporterIdentityProviderMapper"), - }, - "keycloak_realm_events": {Tok: makeResource(mainMod, "RealmEvents")}, - "keycloak_generic_client_role_mapper": {Tok: makeResource(mainMod, "GenericClientRoleMapper")}, - "keycloak_identity_provider_token_exchange_scope_permission": { - Tok: makeResource(mainMod, "IdentityProviderTokenExchangeScopePermission"), - }, - "keycloak_realm_keystore_aes_generated": {Tok: makeResource(mainMod, "RealmKeystoreAesGenerated")}, - "keycloak_realm_keystore_ecdsa_generated": {Tok: makeResource(mainMod, "RealmKeystoreEcdsaGenerated")}, - "keycloak_realm_keystore_hmac_generated": {Tok: makeResource(mainMod, "RealmKeystoreHmacGenerated")}, - "keycloak_realm_keystore_java_keystore": {Tok: makeResource(mainMod, "RealmKeystoreJavaGenerated")}, - "keycloak_realm_keystore_rsa": {Tok: makeResource(mainMod, "RealmKeystoreRsa")}, - "keycloak_realm_keystore_rsa_generated": {Tok: makeResource(mainMod, "RealmKeystoreRsaGenerated")}, - "keycloak_realm_user_profile": {Tok: makeResource(mainMod, "RealmUserProfile")}, - - "keycloak_ldap_full_name_mapper": {Tok: makeResource(ldapMod, "FullNameMapper")}, - "keycloak_ldap_group_mapper": {Tok: makeResource(ldapMod, "GroupMapper")}, - "keycloak_ldap_msad_user_account_control_mapper": { - Tok: makeResource(ldapMod, "MsadUserAccountControlMapper"), + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, - "keycloak_ldap_user_attribute_mapper": {Tok: makeResource(ldapMod, "UserAttributeMapper")}, - "keycloak_ldap_user_federation": {Tok: makeResource(ldapMod, "UserFederation")}, - "keycloak_ldap_hardcoded_role_mapper": {Tok: makeResource(ldapMod, "HardcodedRoleMapper")}, - "keycloak_ldap_msad_lds_user_account_control_mapper": { - Tok: makeResource(ldapMod, "MsadLdsUserAccountControlMapper"), + "keycloak_realm_keystore_java_keystore": { + Tok: makeResource(mainMod, "RealmKeystoreJavaGenerated"), }, "keycloak_ldap_hardcoded_group_mapper": { - Tok: makeResource(ldapMod, "HardcodedGroupMapper"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, - "keycloak_ldap_role_mapper": {Tok: makeResource(ldapMod, "RoleMapper")}, - - "keycloak_oidc_identity_provider": {Tok: makeResource(oidcMod, "IdentityProvider")}, - "keycloak_oidc_google_identity_provider": {Tok: makeResource(oidcMod, "GoogleIdentityProvider")}, - - "keycloak_openid_audience_protocol_mapper": {Tok: makeResource(openIDMod, "AudienceProtocolMapper")}, - "keycloak_openid_client": {Tok: makeResource(openIDMod, "Client")}, "keycloak_openid_client_authorization_permission": { - Tok: makeResource(openIDMod, "ClientAuthorizationPermission"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_authorization_resource": { - Tok: makeResource(openIDMod, "ClientAuthorizationResource"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, - }, - "keycloak_openid_client_authorization_scope": { - Tok: makeResource(openIDMod, "ClientAuthorizationScope"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, - }, - "keycloak_openid_client_default_scopes": {Tok: makeResource(openIDMod, "ClientDefaultScopes")}, - "keycloak_openid_client_optional_scopes": {Tok: makeResource(openIDMod, "ClientOptionalScopes")}, - "keycloak_openid_client_scope": {Tok: makeResource(openIDMod, "ClientScope")}, - "keycloak_openid_client_service_account_role": {Tok: makeResource(openIDMod, "ClientServiceAccountRole")}, - "keycloak_openid_full_name_protocol_mapper": {Tok: makeResource(openIDMod, "FullNameProtocolMapper")}, - "keycloak_openid_group_membership_protocol_mapper": { - Tok: makeResource(openIDMod, "GroupMembershipProtocolMapper"), - }, - "keycloak_openid_hardcoded_claim_protocol_mapper": { - Tok: makeResource(openIDMod, "HardcodedClaimProtocolMapper"), - }, - "keycloak_openid_hardcoded_role_protocol_mapper": { - Tok: makeResource(openIDMod, "HardcodedRoleProtocolMapper"), - }, - "keycloak_openid_user_attribute_protocol_mapper": { - Tok: makeResource(openIDMod, "UserAttributeProtocolMapper"), - }, - "keycloak_openid_user_property_protocol_mapper": { - Tok: makeResource(openIDMod, "UserPropertyProtocolMapper"), - }, - "keycloak_openid_user_realm_role_protocol_mapper": { - Tok: makeResource(openIDMod, "UserRealmRoleProtocolMapper"), - }, - "keycloak_openid_client_service_account_realm_role": { - Tok: makeResource(openIDMod, "ClientServiceAccountRealmRole"), + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_aggregate_policy": { - Tok: makeResource(openIDMod, "ClientAggregatePolicy"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_client_policy": {Tok: makeResource(openIDMod, "ClientPolicy")}, "keycloak_openid_client_group_policy": { - Tok: makeResource(openIDMod, "ClientGroupPolicy"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_js_policy": { - Tok: makeResource(openIDMod, "ClientJsPolicy"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_role_policy": { - Tok: makeResource(openIDMod, "ClientRolePolicy"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_time_policy": { - Tok: makeResource(openIDMod, "ClientTimePolicy"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_user_policy": { - Tok: makeResource(openIDMod, "ClientUserPolicy"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, - }, - "keycloak_openid_user_client_role_protocol_mapper": { - Tok: makeResource(openIDMod, "UserClientRoleProtocolMapper"), - }, - "keycloak_openid_user_session_note_protocol_mapper": { - Tok: makeResource(openIDMod, "UserSessionNoteProtocolMapper"), + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, "keycloak_openid_client_permissions": { - Tok: makeResource(openIDMod, "ClientPermissions"), - Docs: &tfbridge.DocInfo{ - Markdown: []byte(" "), - }, - }, - "keycloak_openid_audience_resolve_protocol_mapper": { - Tok: makeResource(openIDMod, "AudienceResolveProtocolMappter"), + Docs: &tfbridge.DocInfo{AllowMissing: true}, }, - "keycloak_openid_script_protocol_mapper": { - Tok: makeResource(openIDMod, "ScriptProtocolMapper"), - }, - - "keycloak_saml_client": {Tok: makeResource(samlMod, "Client")}, - "keycloak_saml_identity_provider": {Tok: makeResource(samlMod, "IdentityProvider")}, - "keycloak_saml_user_attribute_protocol_mapper": {Tok: makeResource(samlMod, "UserAttributeProtocolMapper")}, - "keycloak_saml_user_property_protocol_mapper": {Tok: makeResource(samlMod, "UserPropertyProtocolMapper")}, - "keycloak_saml_client_scope": {Tok: makeResource(samlMod, "ClientScope")}, - "keycloak_saml_client_default_scopes": {Tok: makeResource(samlMod, "ClientDefaultScope")}, - "keycloak_saml_script_protocol_mapper": {Tok: makeResource(samlMod, "ScriptProtocolMapper")}, - "keycloak_authentication_execution": {Tok: makeResource(authenticationMod, "Execution")}, - "keycloak_authentication_execution_config": {Tok: makeResource(authenticationMod, "ExecutionConfig")}, - "keycloak_authentication_flow": {Tok: makeResource(authenticationMod, "Flow")}, - "keycloak_authentication_subflow": {Tok: makeResource(authenticationMod, "Subflow")}, - "keycloak_authentication_bindings": {Tok: makeResource(authenticationMod, "Bindings")}, + "keycloak_saml_client_default_scopes": {Tok: makeResource(samlMod, "ClientDefaultScope")}, }, DataSources: map[string]*tfbridge.DataSourceInfo{ - "keycloak_group": {Tok: makeDataSource(mainMod, "getGroup")}, - "keycloak_realm": {Tok: makeDataSource(mainMod, "getRealm")}, - "keycloak_user_realm_roles": {Tok: makeDataSource(mainMod, "getUserRealmRoles")}, - "keycloak_realm_keys": {Tok: makeDataSource(mainMod, "getRealmKeys")}, - "keycloak_role": {Tok: makeDataSource(mainMod, "getRole")}, - "keycloak_authentication_execution": {Tok: makeDataSource(mainMod, "getAuthenticationExecution")}, - "keycloak_authentication_flow": {Tok: makeDataSource(mainMod, "getAuthenticationFlow")}, - "keycloak_user": {Tok: makeDataSource(mainMod, "getUser")}, - "keycloak_client_description_converter": {Tok: makeDataSource(mainMod, "getClientDescriptionConverter")}, - - "keycloak_openid_client": {Tok: makeDataSource(openIDMod, "getClient")}, - "keycloak_openid_client_authorization_policy": {Tok: makeDataSource(openIDMod, "getClientAuthorizationPolicy")}, - "keycloak_openid_client_service_account_user": {Tok: makeDataSource(openIDMod, "getClientServiceAccountUser")}, - - "keycloak_saml_client_installation_provider": {Tok: makeDataSource(samlMod, "getClientInstallationProvider")}, - "keycloak_saml_client": {Tok: makeDataSource(samlMod, "getClient")}, + "keycloak_authentication_execution": {Tok: makeDataSource(mainMod, "getAuthenticationExecution")}, + "keycloak_authentication_flow": {Tok: makeDataSource(mainMod, "getAuthenticationFlow")}, }, JavaScript: &tfbridge.JavaScriptInfo{ // List any npm dependencies and their versions @@ -331,7 +166,7 @@ func Provider() tfbridge.ProviderInfo { }, }, Golang: &tfbridge.GolangInfo{ - ImportBasePath: filepath.Join( + ImportBasePath: path.Join( fmt.Sprintf("github.com/pulumi/pulumi-%[1]s/sdk/", mainPkg), tfbridge.GetModuleMajorVersion(version.Version), "go", @@ -339,14 +174,12 @@ func Provider() tfbridge.ProviderInfo { ), GenerateResourceContainerTypes: true, }, - Python: (func() *tfbridge.PythonInfo { - i := &tfbridge.PythonInfo{ - Requires: map[string]string{ - "pulumi": ">=3.0.0,<4.0.0", - }} - i.PyProject.Enabled = true - return i - })(), + Python: &tfbridge.PythonInfo{ + Requires: map[string]string{ + "pulumi": ">=3.0.0,<4.0.0", + }, + PyProject: struct{ Enabled bool }{true}, + }, CSharp: &tfbridge.CSharpInfo{ PackageReferences: map[string]string{ @@ -361,16 +194,16 @@ func Provider() tfbridge.ProviderInfo { "openid": "OpenId", "saml": "Saml", }, - }, MetadataInfo: tfbridge.NewProviderMetadata(metadata), + }, } - prov.MustComputeTokens(tfbridgetokens.KnownModules("keycloak_", mainMod, []string{ + prov.MustComputeTokens(tks.KnownModules("keycloak_", mainMod, []string{ "ldap_", "oidc_", "openid_", "saml_", "authentication_", - }, tfbridgetokens.MakeStandard(mainPkg))) + }, tks.MakeStandard(mainPkg))) prov.MustApplyAutoAliases() @@ -378,6 +211,3 @@ func Provider() tfbridge.ProviderInfo { return prov } - -//go:embed cmd/pulumi-resource-keycloak/bridge-metadata.json -var metadata []byte diff --git a/sdk/dotnet/AttributeToRoleIdentityMapper.cs b/sdk/dotnet/AttributeToRoleIdentityMapper.cs index 720e91b4..a4416cbc 100644 --- a/sdk/dotnet/AttributeToRoleIdentityMapper.cs +++ b/sdk/dotnet/AttributeToRoleIdentityMapper.cs @@ -9,23 +9,85 @@ namespace Pulumi.Keycloak { + /// + /// Allows for creating and managing an attribute to role identity provider mapper within Keycloak. + /// + /// > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var oidcIdentityProvider = new Keycloak.Oidc.IdentityProvider("oidcIdentityProvider", new() + /// { + /// Realm = realm.Id, + /// Alias = "oidc", + /// AuthorizationUrl = "https://example.com/auth", + /// TokenUrl = "https://example.com/token", + /// ClientId = "example_id", + /// ClientSecret = "example_token", + /// DefaultScopes = "openid random profile", + /// }); + /// + /// var realmRole = new Keycloak.Role("realmRole", new() + /// { + /// RealmId = realm.Id, + /// Description = "My Realm Role", + /// }); + /// + /// var oidcAttributeToRoleIdentityMapper = new Keycloak.AttributeToRoleIdentityMapper("oidcAttributeToRoleIdentityMapper", new() + /// { + /// Realm = realm.Id, + /// IdentityProviderAlias = oidcIdentityProvider.Alias, + /// Role = "my-realm-role", + /// ClaimName = "my-claim", + /// ClaimValue = "my-value", + /// ExtraConfig = + /// { + /// { "syncMode", "INHERIT" }, + /// }, + /// }); + /// + /// }); + /// ``` + /// + /// ## Import + /// + /// Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Examplebash + /// + /// ```sh + /// $ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + /// ``` + /// [KeycloakResourceType("keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper")] public partial class AttributeToRoleIdentityMapper : global::Pulumi.CustomResource { /// - /// Attribute Friendly Name + /// Attribute Friendly Name. Conflicts with `attribute_name`. /// [Output("attributeFriendlyName")] public Output AttributeFriendlyName { get; private set; } = null!; /// - /// Attribute Name + /// Attribute Name. /// [Output("attributeName")] public Output AttributeName { get; private set; } = null!; /// - /// Attribute Value + /// Attribute Value. /// [Output("attributeValue")] public Output AttributeValue { get; private set; } = null!; @@ -42,29 +104,32 @@ public partial class AttributeToRoleIdentityMapper : global::Pulumi.CustomResour [Output("claimValue")] public Output ClaimValue { get; private set; } = null!; + /// + /// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + /// [Output("extraConfig")] public Output?> ExtraConfig { get; private set; } = null!; /// - /// IDP Alias + /// The alias of the associated identity provider. /// [Output("identityProviderAlias")] public Output IdentityProviderAlias { get; private set; } = null!; /// - /// IDP Mapper Name + /// The name of the mapper. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// Realm Name + /// The name of the realm. /// [Output("realm")] public Output Realm { get; private set; } = null!; /// - /// Role Name + /// Role Name. /// [Output("role")] public Output Role { get; private set; } = null!; @@ -116,19 +181,19 @@ public static AttributeToRoleIdentityMapper Get(string name, Input id, A public sealed class AttributeToRoleIdentityMapperArgs : global::Pulumi.ResourceArgs { /// - /// Attribute Friendly Name + /// Attribute Friendly Name. Conflicts with `attribute_name`. /// [Input("attributeFriendlyName")] public Input? AttributeFriendlyName { get; set; } /// - /// Attribute Name + /// Attribute Name. /// [Input("attributeName")] public Input? AttributeName { get; set; } /// - /// Attribute Value + /// Attribute Value. /// [Input("attributeValue")] public Input? AttributeValue { get; set; } @@ -147,6 +212,10 @@ public sealed class AttributeToRoleIdentityMapperArgs : global::Pulumi.ResourceA [Input("extraConfig")] private InputMap? _extraConfig; + + /// + /// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + /// public InputMap ExtraConfig { get => _extraConfig ?? (_extraConfig = new InputMap()); @@ -154,25 +223,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The alias of the associated identity provider. /// [Input("identityProviderAlias", required: true)] public Input IdentityProviderAlias { get; set; } = null!; /// - /// IDP Mapper Name + /// The name of the mapper. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The name of the realm. /// [Input("realm", required: true)] public Input Realm { get; set; } = null!; /// - /// Role Name + /// Role Name. /// [Input("role", required: true)] public Input Role { get; set; } = null!; @@ -186,19 +255,19 @@ public AttributeToRoleIdentityMapperArgs() public sealed class AttributeToRoleIdentityMapperState : global::Pulumi.ResourceArgs { /// - /// Attribute Friendly Name + /// Attribute Friendly Name. Conflicts with `attribute_name`. /// [Input("attributeFriendlyName")] public Input? AttributeFriendlyName { get; set; } /// - /// Attribute Name + /// Attribute Name. /// [Input("attributeName")] public Input? AttributeName { get; set; } /// - /// Attribute Value + /// Attribute Value. /// [Input("attributeValue")] public Input? AttributeValue { get; set; } @@ -217,6 +286,10 @@ public sealed class AttributeToRoleIdentityMapperState : global::Pulumi.Resource [Input("extraConfig")] private InputMap? _extraConfig; + + /// + /// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + /// public InputMap ExtraConfig { get => _extraConfig ?? (_extraConfig = new InputMap()); @@ -224,25 +297,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The alias of the associated identity provider. /// [Input("identityProviderAlias")] public Input? IdentityProviderAlias { get; set; } /// - /// IDP Mapper Name + /// The name of the mapper. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The name of the realm. /// [Input("realm")] public Input? Realm { get; set; } /// - /// Role Name + /// Role Name. /// [Input("role")] public Input? Role { get; set; } diff --git a/sdk/dotnet/HardcodedAttributeIdentityProviderMapper.cs b/sdk/dotnet/HardcodedAttributeIdentityProviderMapper.cs index 467c81f8..337074f8 100644 --- a/sdk/dotnet/HardcodedAttributeIdentityProviderMapper.cs +++ b/sdk/dotnet/HardcodedAttributeIdentityProviderMapper.cs @@ -9,17 +9,64 @@ namespace Pulumi.Keycloak { + /// + /// Allows for creating and managing hardcoded attribute mappers for Keycloak identity provider. + /// + /// The identity provider hardcoded attribute mapper will set the specified value to the IDP attribute. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var oidcIdentityProvider = new Keycloak.Oidc.IdentityProvider("oidcIdentityProvider", new() + /// { + /// Realm = realm.Id, + /// Alias = "my-idp", + /// AuthorizationUrl = "https://authorizationurl.com", + /// ClientId = "clientID", + /// ClientSecret = "clientSecret", + /// TokenUrl = "https://tokenurl.com", + /// }); + /// + /// var oidcHardcodedAttributeIdentityProviderMapper = new Keycloak.HardcodedAttributeIdentityProviderMapper("oidcHardcodedAttributeIdentityProviderMapper", new() + /// { + /// Realm = realm.Id, + /// IdentityProviderAlias = oidcIdentityProvider.Alias, + /// AttributeName = "attribute", + /// AttributeValue = "value", + /// UserSession = true, + /// ExtraConfig = + /// { + /// { "syncMode", "INHERIT" }, + /// }, + /// }); + /// + /// }); + /// ``` + /// [KeycloakResourceType("keycloak:index/hardcodedAttributeIdentityProviderMapper:HardcodedAttributeIdentityProviderMapper")] public partial class HardcodedAttributeIdentityProviderMapper : global::Pulumi.CustomResource { /// - /// OIDC Claim + /// The name of the IDP attribute to set. /// [Output("attributeName")] public Output AttributeName { get; private set; } = null!; /// - /// User Attribute + /// The value to set to the attribute. You can hardcode any value like 'foo'. /// [Output("attributeValue")] public Output AttributeValue { get; private set; } = null!; @@ -28,25 +75,25 @@ public partial class HardcodedAttributeIdentityProviderMapper : global::Pulumi.C public Output?> ExtraConfig { get; private set; } = null!; /// - /// IDP Alias + /// The IDP alias of the attribute to set. /// [Output("identityProviderAlias")] public Output IdentityProviderAlias { get; private set; } = null!; /// - /// IDP Mapper Name + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// Realm Name + /// The realm ID that this mapper will exist in. /// [Output("realm")] public Output Realm { get; private set; } = null!; /// - /// Is Attribute Related To a User Session + /// Is Attribute related to a User Session. /// [Output("userSession")] public Output UserSession { get; private set; } = null!; @@ -98,13 +145,13 @@ public static HardcodedAttributeIdentityProviderMapper Get(string name, Input - /// OIDC Claim + /// The name of the IDP attribute to set. /// [Input("attributeName")] public Input? AttributeName { get; set; } /// - /// User Attribute + /// The value to set to the attribute. You can hardcode any value like 'foo'. /// [Input("attributeValue")] public Input? AttributeValue { get; set; } @@ -118,25 +165,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The IDP alias of the attribute to set. /// [Input("identityProviderAlias", required: true)] public Input IdentityProviderAlias { get; set; } = null!; /// - /// IDP Mapper Name + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The realm ID that this mapper will exist in. /// [Input("realm", required: true)] public Input Realm { get; set; } = null!; /// - /// Is Attribute Related To a User Session + /// Is Attribute related to a User Session. /// [Input("userSession", required: true)] public Input UserSession { get; set; } = null!; @@ -150,13 +197,13 @@ public HardcodedAttributeIdentityProviderMapperArgs() public sealed class HardcodedAttributeIdentityProviderMapperState : global::Pulumi.ResourceArgs { /// - /// OIDC Claim + /// The name of the IDP attribute to set. /// [Input("attributeName")] public Input? AttributeName { get; set; } /// - /// User Attribute + /// The value to set to the attribute. You can hardcode any value like 'foo'. /// [Input("attributeValue")] public Input? AttributeValue { get; set; } @@ -170,25 +217,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The IDP alias of the attribute to set. /// [Input("identityProviderAlias")] public Input? IdentityProviderAlias { get; set; } /// - /// IDP Mapper Name + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The realm ID that this mapper will exist in. /// [Input("realm")] public Input? Realm { get; set; } /// - /// Is Attribute Related To a User Session + /// Is Attribute related to a User Session. /// [Input("userSession")] public Input? UserSession { get; set; } diff --git a/sdk/dotnet/HardcodedRoleIdentityMapper.cs b/sdk/dotnet/HardcodedRoleIdentityMapper.cs index 233be217..96bbf9bb 100644 --- a/sdk/dotnet/HardcodedRoleIdentityMapper.cs +++ b/sdk/dotnet/HardcodedRoleIdentityMapper.cs @@ -9,6 +9,57 @@ namespace Pulumi.Keycloak { + /// + /// Allows for creating and managing hardcoded role mappers for Keycloak identity provider. + /// + /// The identity provider hardcoded role mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var oidcIdentityProvider = new Keycloak.Oidc.IdentityProvider("oidcIdentityProvider", new() + /// { + /// Realm = realm.Id, + /// Alias = "my-idp", + /// AuthorizationUrl = "https://authorizationurl.com", + /// ClientId = "clientID", + /// ClientSecret = "clientSecret", + /// TokenUrl = "https://tokenurl.com", + /// }); + /// + /// var realmRole = new Keycloak.Role("realmRole", new() + /// { + /// RealmId = realm.Id, + /// Description = "My Realm Role", + /// }); + /// + /// var oidcHardcodedRoleIdentityMapper = new Keycloak.HardcodedRoleIdentityMapper("oidcHardcodedRoleIdentityMapper", new() + /// { + /// Realm = realm.Id, + /// IdentityProviderAlias = oidcIdentityProvider.Alias, + /// Role = "my-realm-role", + /// ExtraConfig = + /// { + /// { "syncMode", "INHERIT" }, + /// }, + /// }); + /// + /// }); + /// ``` + /// [KeycloakResourceType("keycloak:index/hardcodedRoleIdentityMapper:HardcodedRoleIdentityMapper")] public partial class HardcodedRoleIdentityMapper : global::Pulumi.CustomResource { @@ -16,25 +67,25 @@ public partial class HardcodedRoleIdentityMapper : global::Pulumi.CustomResource public Output?> ExtraConfig { get; private set; } = null!; /// - /// IDP Alias + /// The IDP alias of the attribute to set. /// [Output("identityProviderAlias")] public Output IdentityProviderAlias { get; private set; } = null!; /// - /// IDP Mapper Name + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// Realm Name + /// The realm ID that this mapper will exist in. /// [Output("realm")] public Output Realm { get; private set; } = null!; /// - /// Role Name + /// The name of the role which should be assigned to the users. /// [Output("role")] public Output Role { get; private set; } = null!; @@ -94,25 +145,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The IDP alias of the attribute to set. /// [Input("identityProviderAlias", required: true)] public Input IdentityProviderAlias { get; set; } = null!; /// - /// IDP Mapper Name + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The realm ID that this mapper will exist in. /// [Input("realm", required: true)] public Input Realm { get; set; } = null!; /// - /// Role Name + /// The name of the role which should be assigned to the users. /// [Input("role")] public Input? Role { get; set; } @@ -134,25 +185,25 @@ public InputMap ExtraConfig } /// - /// IDP Alias + /// The IDP alias of the attribute to set. /// [Input("identityProviderAlias")] public Input? IdentityProviderAlias { get; set; } /// - /// IDP Mapper Name + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// Realm Name + /// The realm ID that this mapper will exist in. /// [Input("realm")] public Input? Realm { get; set; } /// - /// Role Name + /// The name of the role which should be assigned to the users. /// [Input("role")] public Input? Role { get; set; } diff --git a/sdk/dotnet/Ldap/HardcodedGroupMapper.cs b/sdk/dotnet/Ldap/HardcodedGroupMapper.cs index fb6e3893..8572ca1b 100644 --- a/sdk/dotnet/Ldap/HardcodedGroupMapper.cs +++ b/sdk/dotnet/Ldap/HardcodedGroupMapper.cs @@ -9,29 +9,90 @@ namespace Pulumi.Keycloak.Ldap { + /// + /// Allows for creating and managing hardcoded group mappers for Keycloak users federated via LDAP. + /// + /// The LDAP hardcoded group mapper will grant a specified Keycloak group to each Keycloak user linked with LDAP. + /// + /// ## Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var ldapUserFederation = new Keycloak.Ldap.UserFederation("ldapUserFederation", new() + /// { + /// RealmId = realm.Id, + /// UsernameLdapAttribute = "cn", + /// RdnLdapAttribute = "cn", + /// UuidLdapAttribute = "entryDN", + /// UserObjectClasses = new[] + /// { + /// "simpleSecurityObject", + /// "organizationalRole", + /// }, + /// ConnectionUrl = "ldap://openldap", + /// UsersDn = "dc=example,dc=org", + /// BindDn = "cn=admin,dc=example,dc=org", + /// BindCredential = "admin", + /// }); + /// + /// var realmGroup = new Keycloak.Group("realmGroup", new() + /// { + /// RealmId = realm.Id, + /// }); + /// + /// var assignGroupToUsers = new Keycloak.Ldap.HardcodedGroupMapper("assignGroupToUsers", new() + /// { + /// RealmId = realm.Id, + /// LdapUserFederationId = ldapUserFederation.Id, + /// Group = realmGroup.Name, + /// }); + /// + /// }); + /// ``` + /// + /// ## Import + /// + /// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash + /// + /// ```sh + /// $ pulumi import keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper assign_group_to_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + /// ``` + /// [KeycloakResourceType("keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper")] public partial class HardcodedGroupMapper : global::Pulumi.CustomResource { /// - /// Group to grant to user. + /// The name of the group which should be assigned to the users. /// [Output("group")] public Output Group { get; private set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Output("ldapUserFederationId")] public Output LdapUserFederationId { get; private set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -83,25 +144,25 @@ public static HardcodedGroupMapper Get(string name, Input id, HardcodedG public sealed class HardcodedGroupMapperArgs : global::Pulumi.ResourceArgs { /// - /// Group to grant to user. + /// The name of the group which should be assigned to the users. /// [Input("group", required: true)] public Input Group { get; set; } = null!; /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId", required: true)] public Input LdapUserFederationId { get; set; } = null!; /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -115,25 +176,25 @@ public HardcodedGroupMapperArgs() public sealed class HardcodedGroupMapperState : global::Pulumi.ResourceArgs { /// - /// Group to grant to user. + /// The name of the group which should be assigned to the users. /// [Input("group")] public Input? Group { get; set; } /// - /// The ldap user federation provider to attach this mapper to. + /// The ID of the LDAP user federation provider to attach this mapper to. /// [Input("ldapUserFederationId")] public Input? LdapUserFederationId { get; set; } /// - /// Display name of the mapper when displayed in the console. + /// Display name of this mapper when displayed in the console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm in which the ldap user federation provider exists. + /// The realm that this LDAP mapper will exist in. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/AudienceResolveProtocolMapper.cs b/sdk/dotnet/OpenId/AudienceResolveProtocolMapper.cs new file mode 100644 index 00000000..746c0124 --- /dev/null +++ b/sdk/dotnet/OpenId/AudienceResolveProtocolMapper.cs @@ -0,0 +1,236 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.Keycloak.OpenId +{ + /// + /// Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. + /// + /// This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles + /// to imply which audiences are appropriate for the token. See the + /// [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. + /// + /// ## Example Usage + /// ### Client) + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var openidClient = new Keycloak.OpenId.Client("openidClient", new() + /// { + /// RealmId = realm.Id, + /// ClientId = "client", + /// Enabled = true, + /// AccessType = "CONFIDENTIAL", + /// ValidRedirectUris = new[] + /// { + /// "http://localhost:8080/openid-callback", + /// }, + /// }); + /// + /// var audienceMapper = new Keycloak.OpenId.AudienceResolveProtocolMapper("audienceMapper", new() + /// { + /// RealmId = realm.Id, + /// ClientId = openidClient.Id, + /// }); + /// + /// }); + /// ``` + /// ### Client Scope) + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new() + /// { + /// RealmId = realm.Id, + /// }); + /// + /// var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper("audienceMapper", new() + /// { + /// RealmId = realm.Id, + /// ClientScopeId = clientScope.Id, + /// }); + /// + /// }); + /// ``` + /// + /// ## Import + /// + /// Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash + /// + /// ```sh + /// $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + /// ```sh + /// $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + /// ``` + /// + [KeycloakResourceType("keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper")] + public partial class AudienceResolveProtocolMapper : global::Pulumi.CustomResource + { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// + [Output("clientId")] + public Output ClientId { get; private set; } = null!; + + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// + [Output("clientScopeId")] + public Output ClientScopeId { get; private set; } = null!; + + /// + /// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + /// + [Output("name")] + public Output Name { get; private set; } = null!; + + /// + /// The realm this protocol mapper exists within. + /// + [Output("realmId")] + public Output RealmId { get; private set; } = null!; + + + /// + /// Create a AudienceResolveProtocolMapper resource with the given unique name, arguments, and options. + /// + /// + /// The unique name of the resource + /// The arguments used to populate this resource's properties + /// A bag of options that control this resource's behavior + public AudienceResolveProtocolMapper(string name, AudienceResolveProtocolMapperArgs args, CustomResourceOptions? options = null) + : base("keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper", name, args ?? new AudienceResolveProtocolMapperArgs(), MakeResourceOptions(options, "")) + { + } + + private AudienceResolveProtocolMapper(string name, Input id, AudienceResolveProtocolMapperState? state = null, CustomResourceOptions? options = null) + : base("keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper", name, state, MakeResourceOptions(options, id)) + { + } + + private static CustomResourceOptions MakeResourceOptions(CustomResourceOptions? options, Input? id) + { + var defaultOptions = new CustomResourceOptions + { + Version = Utilities.Version, + Aliases = + { + new global::Pulumi.Alias { Type = "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter" }, + }, + }; + var merged = CustomResourceOptions.Merge(defaultOptions, options); + // Override the ID if one was specified for consistency with other language SDKs. + merged.Id = id ?? merged.Id; + return merged; + } + /// + /// Get an existing AudienceResolveProtocolMapper resource's state with the given name, ID, and optional extra + /// properties used to qualify the lookup. + /// + /// + /// The unique name of the resulting resource. + /// The unique provider ID of the resource to lookup. + /// Any extra arguments used during the lookup. + /// A bag of options that control this resource's behavior + public static AudienceResolveProtocolMapper Get(string name, Input id, AudienceResolveProtocolMapperState? state = null, CustomResourceOptions? options = null) + { + return new AudienceResolveProtocolMapper(name, id, state, options); + } + } + + public sealed class AudienceResolveProtocolMapperArgs : global::Pulumi.ResourceArgs + { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// + [Input("clientId")] + public Input? ClientId { get; set; } + + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// + [Input("clientScopeId")] + public Input? ClientScopeId { get; set; } + + /// + /// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + /// + [Input("name")] + public Input? Name { get; set; } + + /// + /// The realm this protocol mapper exists within. + /// + [Input("realmId", required: true)] + public Input RealmId { get; set; } = null!; + + public AudienceResolveProtocolMapperArgs() + { + } + public static new AudienceResolveProtocolMapperArgs Empty => new AudienceResolveProtocolMapperArgs(); + } + + public sealed class AudienceResolveProtocolMapperState : global::Pulumi.ResourceArgs + { + /// + /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// + [Input("clientId")] + public Input? ClientId { get; set; } + + /// + /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// + [Input("clientScopeId")] + public Input? ClientScopeId { get; set; } + + /// + /// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + /// + [Input("name")] + public Input? Name { get; set; } + + /// + /// The realm this protocol mapper exists within. + /// + [Input("realmId")] + public Input? RealmId { get; set; } + + public AudienceResolveProtocolMapperState() + { + } + public static new AudienceResolveProtocolMapperState Empty => new AudienceResolveProtocolMapperState(); + } +} diff --git a/sdk/dotnet/OpenId/AudienceResolveProtocolMappter.cs b/sdk/dotnet/OpenId/AudienceResolveProtocolMappter.cs index 64ce5570..3be115e3 100644 --- a/sdk/dotnet/OpenId/AudienceResolveProtocolMappter.cs +++ b/sdk/dotnet/OpenId/AudienceResolveProtocolMappter.cs @@ -9,115 +9,30 @@ namespace Pulumi.Keycloak.OpenId { - /// - /// Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. - /// - /// This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles - /// to imply which audiences are appropriate for the token. See the - /// [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. - /// - /// ## Example Usage - /// ### Client) - /// - /// ```csharp - /// using System.Collections.Generic; - /// using System.Linq; - /// using Pulumi; - /// using Keycloak = Pulumi.Keycloak; - /// - /// return await Deployment.RunAsync(() => - /// { - /// var realm = new Keycloak.Realm("realm", new() - /// { - /// RealmName = "my-realm", - /// Enabled = true, - /// }); - /// - /// var openidClient = new Keycloak.OpenId.Client("openidClient", new() - /// { - /// RealmId = realm.Id, - /// ClientId = "client", - /// Enabled = true, - /// AccessType = "CONFIDENTIAL", - /// ValidRedirectUris = new[] - /// { - /// "http://localhost:8080/openid-callback", - /// }, - /// }); - /// - /// var audienceMapper = new Keycloak.OpenId.AudienceResolveProtocolMappter("audienceMapper", new() - /// { - /// RealmId = realm.Id, - /// ClientId = openidClient.Id, - /// }); - /// - /// }); - /// ``` - /// ### Client Scope) - /// - /// ```csharp - /// using System.Collections.Generic; - /// using System.Linq; - /// using Pulumi; - /// using Keycloak = Pulumi.Keycloak; - /// - /// return await Deployment.RunAsync(() => - /// { - /// var realm = new Keycloak.Realm("realm", new() - /// { - /// RealmName = "my-realm", - /// Enabled = true, - /// }); - /// - /// var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new() - /// { - /// RealmId = realm.Id, - /// }); - /// - /// var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper("audienceMapper", new() - /// { - /// RealmId = realm.Id, - /// ClientScopeId = clientScope.Id, - /// }); - /// - /// }); - /// ``` - /// - /// ## Import - /// - /// Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash - /// - /// ```sh - /// $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - /// ``` - /// - /// ```sh - /// $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - /// ``` - /// + [Obsolete(@"keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper")] [KeycloakResourceType("keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter")] public partial class AudienceResolveProtocolMappter : global::Pulumi.CustomResource { /// - /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// The mapper's associated client. Cannot be used at the same time as client_scope_id. /// [Output("clientId")] public Output ClientId { get; private set; } = null!; /// - /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// The mapper's associated client scope. Cannot be used at the same time as client_id. /// [Output("clientScopeId")] public Output ClientScopeId { get; private set; } = null!; /// - /// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + /// A human-friendly name that will appear in the Keycloak console. /// [Output("name")] public Output Name { get; private set; } = null!; /// - /// The realm this protocol mapper exists within. + /// The realm id where the associated client or client scope exists. /// [Output("realmId")] public Output RealmId { get; private set; } = null!; @@ -169,25 +84,25 @@ public static AudienceResolveProtocolMappter Get(string name, Input id, public sealed class AudienceResolveProtocolMappterArgs : global::Pulumi.ResourceArgs { /// - /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// The mapper's associated client. Cannot be used at the same time as client_scope_id. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// The mapper's associated client scope. Cannot be used at the same time as client_id. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + /// A human-friendly name that will appear in the Keycloak console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm this protocol mapper exists within. + /// The realm id where the associated client or client scope exists. /// [Input("realmId", required: true)] public Input RealmId { get; set; } = null!; @@ -201,25 +116,25 @@ public AudienceResolveProtocolMappterArgs() public sealed class AudienceResolveProtocolMappterState : global::Pulumi.ResourceArgs { /// - /// The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + /// The mapper's associated client. Cannot be used at the same time as client_scope_id. /// [Input("clientId")] public Input? ClientId { get; set; } /// - /// The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + /// The mapper's associated client scope. Cannot be used at the same time as client_id. /// [Input("clientScopeId")] public Input? ClientScopeId { get; set; } /// - /// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + /// A human-friendly name that will appear in the Keycloak console. /// [Input("name")] public Input? Name { get; set; } /// - /// The realm this protocol mapper exists within. + /// The realm id where the associated client or client scope exists. /// [Input("realmId")] public Input? RealmId { get; set; } diff --git a/sdk/dotnet/OpenId/ClientAuthorizationPermission.cs b/sdk/dotnet/OpenId/ClientAuthorizationPermission.cs index 62cac68a..7c93db78 100644 --- a/sdk/dotnet/OpenId/ClientAuthorizationPermission.cs +++ b/sdk/dotnet/OpenId/ClientAuthorizationPermission.cs @@ -9,6 +9,108 @@ namespace Pulumi.Keycloak.OpenId { + /// + /// ## # keycloak.openid.ClientAuthorizationPermission + /// + /// Allows you to manage openid Client Authorization Permissions. + /// + /// ### Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "my-realm", + /// Enabled = true, + /// }); + /// + /// var testClient = new Keycloak.OpenId.Client("testClient", new() + /// { + /// ClientId = "client_id", + /// RealmId = realm.Id, + /// AccessType = "CONFIDENTIAL", + /// ServiceAccountsEnabled = true, + /// Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs + /// { + /// PolicyEnforcementMode = "ENFORCING", + /// }, + /// }); + /// + /// var @default = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new() + /// { + /// RealmId = realm.Id, + /// ResourceServerId = testClient.ResourceServerId, + /// Name = "default", + /// }); + /// + /// var testClientAuthorizationResource = new Keycloak.OpenId.ClientAuthorizationResource("testClientAuthorizationResource", new() + /// { + /// ResourceServerId = testClient.ResourceServerId, + /// RealmId = realm.Id, + /// Uris = new[] + /// { + /// "/endpoint/*", + /// }, + /// }); + /// + /// var testClientAuthorizationScope = new Keycloak.OpenId.ClientAuthorizationScope("testClientAuthorizationScope", new() + /// { + /// ResourceServerId = testClient.ResourceServerId, + /// RealmId = realm.Id, + /// }); + /// + /// var testClientAuthorizationPermission = new Keycloak.OpenId.ClientAuthorizationPermission("testClientAuthorizationPermission", new() + /// { + /// ResourceServerId = testClient.ResourceServerId, + /// RealmId = realm.Id, + /// Policies = new[] + /// { + /// @default.Apply(@default => @default.Apply(getClientAuthorizationPolicyResult => getClientAuthorizationPolicyResult.Id)), + /// }, + /// Resources = new[] + /// { + /// testClientAuthorizationResource.Id, + /// }, + /// }); + /// + /// }); + /// ``` + /// + /// ### Argument Reference + /// + /// The following arguments are supported: + /// + /// - `realm_id` - (Required) The realm this group exists in. + /// - `resource_server_id` - (Required) The ID of the resource server. + /// - `name` - (Required) The name of the permission. + /// - `description` - (Optional) A description for the authorization permission. + /// - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`. + /// - `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission. + /// - `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resource_type`. + /// - `resource_type` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`. + /// - `scopes` - (Optional) A list of scope IDs that this permission must be applied to. + /// - `type` - (Optional) The type of permission, can be one of `resource` or `scope`. + /// + /// ### Attributes Reference + /// + /// In addition to the arguments listed above, the following computed attributes are exported: + /// + /// - `id` - Permission ID representing the permission. + /// + /// ## Import + /// + /// Client authorization permissions can be imported using the format`{{realmId}}/{{resourceServerId}}/{{permissionId}}`. Examplebash + /// + /// ```sh + /// $ pulumi import keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9 + /// ``` + /// [KeycloakResourceType("keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission")] public partial class ClientAuthorizationPermission : global::Pulumi.CustomResource { diff --git a/sdk/dotnet/OpenId/ClientPermissions.cs b/sdk/dotnet/OpenId/ClientPermissions.cs index 4ea664d2..08b4d598 100644 --- a/sdk/dotnet/OpenId/ClientPermissions.cs +++ b/sdk/dotnet/OpenId/ClientPermissions.cs @@ -9,6 +9,137 @@ namespace Pulumi.Keycloak.OpenId { + /// + /// ## # keycloak.openid.ClientPermissions + /// + /// Allows you to manage all openid client Scope Based Permissions. + /// + /// This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More + /// information about enabling the preview feature can be found + /// here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange + /// + /// When enabling Openid Client Permissions, Keycloak does several things automatically: + /// + /// 1. Enable Authorization on build-in realm-management client + /// 2. Create scopes "view", "manage", "configure", "map-roles", "map-roles-client-scope", "map-roles-composite", " + /// token-exchange" + /// 3. Create a resource representing the openid client + /// 4. Create all scope based permission for the scopes and openid client resource + /// + /// If the realm-management Authorization is not enable, you have to ceate a dependency (`depends_on`) with the policy and + /// the openid client. + /// + /// ### Example Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Keycloak = Pulumi.Keycloak; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var realm = new Keycloak.Realm("realm", new() + /// { + /// RealmName = "realm", + /// }); + /// + /// var myOpenidClient = new Keycloak.OpenId.Client("myOpenidClient", new() + /// { + /// RealmId = realm.Id, + /// ClientId = "my_openid_client", + /// ClientSecret = "secret", + /// AccessType = "CONFIDENTIAL", + /// StandardFlowEnabled = true, + /// ValidRedirectUris = new[] + /// { + /// "http://localhost:8080/*", + /// }, + /// }); + /// + /// var realmManagement = Keycloak.OpenId.GetClient.Invoke(new() + /// { + /// RealmId = realm.Id, + /// ClientId = "realm-management", + /// }); + /// + /// var testUser = new Keycloak.User("testUser", new() + /// { + /// RealmId = realm.Id, + /// Username = "test-user", + /// Email = "test-user@fakedomain.com", + /// FirstName = "Testy", + /// LastName = "Tester", + /// }); + /// + /// var testClientUserPolicy = new Keycloak.OpenId.ClientUserPolicy("testClientUserPolicy", new() + /// { + /// ResourceServerId = realmManagement.Apply(getClientResult => getClientResult.Id), + /// RealmId = realm.Id, + /// Users = new[] + /// { + /// testUser.Id, + /// }, + /// Logic = "POSITIVE", + /// DecisionStrategy = "UNANIMOUS", + /// }, new CustomResourceOptions + /// { + /// DependsOn = new[] + /// { + /// myOpenidClient, + /// }, + /// }); + /// + /// var myPermission = new Keycloak.OpenId.ClientPermissions("myPermission", new() + /// { + /// RealmId = realm.Id, + /// ClientId = myOpenidClient.Id, + /// ViewScope = new Keycloak.OpenId.Inputs.ClientPermissionsViewScopeArgs + /// { + /// Policies = new[] + /// { + /// testClientUserPolicy.Id, + /// }, + /// Description = "my description", + /// DecisionStrategy = "UNANIMOUS", + /// }, + /// }); + /// + /// }); + /// ``` + /// + /// ### Argument Reference + /// + /// The following arguments are supported: + /// + /// - `realm_id` - (Required) The realm this group exists in. + /// - `client_id` - (Required) The id of the client that provides the role. + /// + /// #### Permission Scopes + /// + /// Permission scopes can be defined using the following attributes: + /// + /// - `view_scope` + /// - `manage_scope` + /// - `configure_scope` + /// - `map_roles_scope` + /// - `map_roles_client_scope_scope` + /// - `map_roles_composite_scope` + /// - `token_exchange_scope` + /// + /// Each of these attributes have the following schema: + /// + /// - `policies` - (Optional) A list of policy IDs + /// - `description` - (Optional) A description for the permission scope + /// - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. + /// + /// ### Attributes Reference + /// + /// In addition to the arguments listed above, the following computed attributes are exported: + /// + /// - `authorization_resource_server_id` - Resource server id representing the realm management client on which this + /// permission is managed. + /// [KeycloakResourceType("keycloak:openid/clientPermissions:ClientPermissions")] public partial class ClientPermissions : global::Pulumi.CustomResource { diff --git a/sdk/dotnet/UsersPermissions.cs b/sdk/dotnet/UsersPermissions.cs index 4721f8aa..e6a0be36 100644 --- a/sdk/dotnet/UsersPermissions.cs +++ b/sdk/dotnet/UsersPermissions.cs @@ -9,6 +9,36 @@ namespace Pulumi.Keycloak { + /// + /// ## Example Usage + /// ### Argument Reference + /// + /// The following arguments are supported: + /// + /// - `realm_id` - (Required) The realm in which to manage fine-grained user permissions. + /// + /// Each of the scopes that can be managed are defined below: + /// + /// - `view_scope` - (Optional) When specified, set the scope based view permission. + /// - `manage_scope` - (Optional) When specified, set the scope based manage permission. + /// - `map_roles_scope` - (Optional) When specified, set the scope based map_roles permission. + /// - `manage_group_membership_scope` - (Optional) When specified, set the scope based manage_group_membership permission. + /// - `impersonate_scope` - (Optional) When specified, set the scope based impersonate permission. + /// - `user_impersonated_scope` - (Optional) When specified, set the scope based user_impersonated permission. + /// + /// The configuration block for each of these scopes supports the following arguments: + /// + /// - `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. + /// - `description` - (Optional) Description of the permission. + /// - `decision_strategy` - (Optional) Decision strategy of the permission. + /// + /// ### Attributes Reference + /// + /// In addition to the arguments listed above, the following computed attributes are exported: + /// + /// - `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`. + /// - `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed. + /// [KeycloakResourceType("keycloak:index/usersPermissions:UsersPermissions")] public partial class UsersPermissions : global::Pulumi.CustomResource { diff --git a/sdk/go/keycloak/attributeToRoleIdentityMapper.go b/sdk/go/keycloak/attributeToRoleIdentityMapper.go index 92e74ed2..9167e25b 100644 --- a/sdk/go/keycloak/attributeToRoleIdentityMapper.go +++ b/sdk/go/keycloak/attributeToRoleIdentityMapper.go @@ -12,27 +12,101 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// Allows for creating and managing an attribute to role identity provider mapper within Keycloak. +// +// > If you are using Keycloak 10 or higher, you will need to specify the `extraConfig` argument in order to define a `syncMode` for the mapper. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// oidcIdentityProvider, err := oidc.NewIdentityProvider(ctx, "oidcIdentityProvider", &oidc.IdentityProviderArgs{ +// Realm: realm.ID(), +// Alias: pulumi.String("oidc"), +// AuthorizationUrl: pulumi.String("https://example.com/auth"), +// TokenUrl: pulumi.String("https://example.com/token"), +// ClientId: pulumi.String("example_id"), +// ClientSecret: pulumi.String("example_token"), +// DefaultScopes: pulumi.String("openid random profile"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewRole(ctx, "realmRole", &keycloak.RoleArgs{ +// RealmId: realm.ID(), +// Description: pulumi.String("My Realm Role"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewAttributeToRoleIdentityMapper(ctx, "oidcAttributeToRoleIdentityMapper", &keycloak.AttributeToRoleIdentityMapperArgs{ +// Realm: realm.ID(), +// IdentityProviderAlias: oidcIdentityProvider.Alias, +// Role: pulumi.String("my-realm-role"), +// ClaimName: pulumi.String("my-claim"), +// ClaimValue: pulumi.String("my-value"), +// ExtraConfig: pulumi.Map{ +// "syncMode": pulumi.Any("INHERIT"), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ## Import +// +// Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Examplebash +// +// ```sh +// +// $ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b +// +// ``` type AttributeToRoleIdentityMapper struct { pulumi.CustomResourceState - // Attribute Friendly Name + // Attribute Friendly Name. Conflicts with `attributeName`. AttributeFriendlyName pulumi.StringPtrOutput `pulumi:"attributeFriendlyName"` - // Attribute Name + // Attribute Name. AttributeName pulumi.StringPtrOutput `pulumi:"attributeName"` - // Attribute Value + // Attribute Value. AttributeValue pulumi.StringPtrOutput `pulumi:"attributeValue"` // OIDC Claim Name ClaimName pulumi.StringPtrOutput `pulumi:"claimName"` // OIDC Claim Value - ClaimValue pulumi.StringPtrOutput `pulumi:"claimValue"` - ExtraConfig pulumi.MapOutput `pulumi:"extraConfig"` - // IDP Alias + ClaimValue pulumi.StringPtrOutput `pulumi:"claimValue"` + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + ExtraConfig pulumi.MapOutput `pulumi:"extraConfig"` + // The alias of the associated identity provider. IdentityProviderAlias pulumi.StringOutput `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // The name of the mapper. Name pulumi.StringOutput `pulumi:"name"` - // Realm Name + // The name of the realm. Realm pulumi.StringOutput `pulumi:"realm"` - // Role Name + // Role Name. Role pulumi.StringOutput `pulumi:"role"` } @@ -75,46 +149,48 @@ func GetAttributeToRoleIdentityMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering AttributeToRoleIdentityMapper resources. type attributeToRoleIdentityMapperState struct { - // Attribute Friendly Name + // Attribute Friendly Name. Conflicts with `attributeName`. AttributeFriendlyName *string `pulumi:"attributeFriendlyName"` - // Attribute Name + // Attribute Name. AttributeName *string `pulumi:"attributeName"` - // Attribute Value + // Attribute Value. AttributeValue *string `pulumi:"attributeValue"` // OIDC Claim Name ClaimName *string `pulumi:"claimName"` // OIDC Claim Value - ClaimValue *string `pulumi:"claimValue"` + ClaimValue *string `pulumi:"claimValue"` + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig map[string]interface{} `pulumi:"extraConfig"` - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias *string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // The name of the mapper. Name *string `pulumi:"name"` - // Realm Name + // The name of the realm. Realm *string `pulumi:"realm"` - // Role Name + // Role Name. Role *string `pulumi:"role"` } type AttributeToRoleIdentityMapperState struct { - // Attribute Friendly Name + // Attribute Friendly Name. Conflicts with `attributeName`. AttributeFriendlyName pulumi.StringPtrInput - // Attribute Name + // Attribute Name. AttributeName pulumi.StringPtrInput - // Attribute Value + // Attribute Value. AttributeValue pulumi.StringPtrInput // OIDC Claim Name ClaimName pulumi.StringPtrInput // OIDC Claim Value - ClaimValue pulumi.StringPtrInput + ClaimValue pulumi.StringPtrInput + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig pulumi.MapInput - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias pulumi.StringPtrInput - // IDP Mapper Name + // The name of the mapper. Name pulumi.StringPtrInput - // Realm Name + // The name of the realm. Realm pulumi.StringPtrInput - // Role Name + // Role Name. Role pulumi.StringPtrInput } @@ -123,47 +199,49 @@ func (AttributeToRoleIdentityMapperState) ElementType() reflect.Type { } type attributeToRoleIdentityMapperArgs struct { - // Attribute Friendly Name + // Attribute Friendly Name. Conflicts with `attributeName`. AttributeFriendlyName *string `pulumi:"attributeFriendlyName"` - // Attribute Name + // Attribute Name. AttributeName *string `pulumi:"attributeName"` - // Attribute Value + // Attribute Value. AttributeValue *string `pulumi:"attributeValue"` // OIDC Claim Name ClaimName *string `pulumi:"claimName"` // OIDC Claim Value - ClaimValue *string `pulumi:"claimValue"` + ClaimValue *string `pulumi:"claimValue"` + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig map[string]interface{} `pulumi:"extraConfig"` - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // The name of the mapper. Name *string `pulumi:"name"` - // Realm Name + // The name of the realm. Realm string `pulumi:"realm"` - // Role Name + // Role Name. Role string `pulumi:"role"` } // The set of arguments for constructing a AttributeToRoleIdentityMapper resource. type AttributeToRoleIdentityMapperArgs struct { - // Attribute Friendly Name + // Attribute Friendly Name. Conflicts with `attributeName`. AttributeFriendlyName pulumi.StringPtrInput - // Attribute Name + // Attribute Name. AttributeName pulumi.StringPtrInput - // Attribute Value + // Attribute Value. AttributeValue pulumi.StringPtrInput // OIDC Claim Name ClaimName pulumi.StringPtrInput // OIDC Claim Value - ClaimValue pulumi.StringPtrInput + ClaimValue pulumi.StringPtrInput + // Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. ExtraConfig pulumi.MapInput - // IDP Alias + // The alias of the associated identity provider. IdentityProviderAlias pulumi.StringInput - // IDP Mapper Name + // The name of the mapper. Name pulumi.StringPtrInput - // Realm Name + // The name of the realm. Realm pulumi.StringInput - // Role Name + // Role Name. Role pulumi.StringInput } @@ -254,17 +332,17 @@ func (o AttributeToRoleIdentityMapperOutput) ToAttributeToRoleIdentityMapperOutp return o } -// Attribute Friendly Name +// Attribute Friendly Name. Conflicts with `attributeName`. func (o AttributeToRoleIdentityMapperOutput) AttributeFriendlyName() pulumi.StringPtrOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringPtrOutput { return v.AttributeFriendlyName }).(pulumi.StringPtrOutput) } -// Attribute Name +// Attribute Name. func (o AttributeToRoleIdentityMapperOutput) AttributeName() pulumi.StringPtrOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringPtrOutput { return v.AttributeName }).(pulumi.StringPtrOutput) } -// Attribute Value +// Attribute Value. func (o AttributeToRoleIdentityMapperOutput) AttributeValue() pulumi.StringPtrOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringPtrOutput { return v.AttributeValue }).(pulumi.StringPtrOutput) } @@ -279,26 +357,27 @@ func (o AttributeToRoleIdentityMapperOutput) ClaimValue() pulumi.StringPtrOutput return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringPtrOutput { return v.ClaimValue }).(pulumi.StringPtrOutput) } +// Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. func (o AttributeToRoleIdentityMapperOutput) ExtraConfig() pulumi.MapOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.MapOutput { return v.ExtraConfig }).(pulumi.MapOutput) } -// IDP Alias +// The alias of the associated identity provider. func (o AttributeToRoleIdentityMapperOutput) IdentityProviderAlias() pulumi.StringOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringOutput { return v.IdentityProviderAlias }).(pulumi.StringOutput) } -// IDP Mapper Name +// The name of the mapper. func (o AttributeToRoleIdentityMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// Realm Name +// The name of the realm. func (o AttributeToRoleIdentityMapperOutput) Realm() pulumi.StringOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringOutput { return v.Realm }).(pulumi.StringOutput) } -// Role Name +// Role Name. func (o AttributeToRoleIdentityMapperOutput) Role() pulumi.StringOutput { return o.ApplyT(func(v *AttributeToRoleIdentityMapper) pulumi.StringOutput { return v.Role }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/hardcodedAttributeIdentityProviderMapper.go b/sdk/go/keycloak/hardcodedAttributeIdentityProviderMapper.go index 1c7dc0ec..014c03d5 100644 --- a/sdk/go/keycloak/hardcodedAttributeIdentityProviderMapper.go +++ b/sdk/go/keycloak/hardcodedAttributeIdentityProviderMapper.go @@ -12,21 +12,76 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// Allows for creating and managing hardcoded attribute mappers for Keycloak identity provider. +// +// The identity provider hardcoded attribute mapper will set the specified value to the IDP attribute. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// oidcIdentityProvider, err := oidc.NewIdentityProvider(ctx, "oidcIdentityProvider", &oidc.IdentityProviderArgs{ +// Realm: realm.ID(), +// Alias: pulumi.String("my-idp"), +// AuthorizationUrl: pulumi.String("https://authorizationurl.com"), +// ClientId: pulumi.String("clientID"), +// ClientSecret: pulumi.String("clientSecret"), +// TokenUrl: pulumi.String("https://tokenurl.com"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewHardcodedAttributeIdentityProviderMapper(ctx, "oidcHardcodedAttributeIdentityProviderMapper", &keycloak.HardcodedAttributeIdentityProviderMapperArgs{ +// Realm: realm.ID(), +// IdentityProviderAlias: oidcIdentityProvider.Alias, +// AttributeName: pulumi.String("attribute"), +// AttributeValue: pulumi.String("value"), +// UserSession: pulumi.Bool(true), +// ExtraConfig: pulumi.Map{ +// "syncMode": pulumi.Any("INHERIT"), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` type HardcodedAttributeIdentityProviderMapper struct { pulumi.CustomResourceState - // OIDC Claim + // The name of the IDP attribute to set. AttributeName pulumi.StringPtrOutput `pulumi:"attributeName"` - // User Attribute + // The value to set to the attribute. You can hardcode any value like 'foo'. AttributeValue pulumi.StringPtrOutput `pulumi:"attributeValue"` ExtraConfig pulumi.MapOutput `pulumi:"extraConfig"` - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias pulumi.StringOutput `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // Realm Name + // The realm ID that this mapper will exist in. Realm pulumi.StringOutput `pulumi:"realm"` - // Is Attribute Related To a User Session + // Is Attribute related to a User Session. UserSession pulumi.BoolOutput `pulumi:"userSession"` } @@ -69,34 +124,34 @@ func GetHardcodedAttributeIdentityProviderMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering HardcodedAttributeIdentityProviderMapper resources. type hardcodedAttributeIdentityProviderMapperState struct { - // OIDC Claim + // The name of the IDP attribute to set. AttributeName *string `pulumi:"attributeName"` - // User Attribute + // The value to set to the attribute. You can hardcode any value like 'foo'. AttributeValue *string `pulumi:"attributeValue"` ExtraConfig map[string]interface{} `pulumi:"extraConfig"` - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias *string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // Realm Name + // The realm ID that this mapper will exist in. Realm *string `pulumi:"realm"` - // Is Attribute Related To a User Session + // Is Attribute related to a User Session. UserSession *bool `pulumi:"userSession"` } type HardcodedAttributeIdentityProviderMapperState struct { - // OIDC Claim + // The name of the IDP attribute to set. AttributeName pulumi.StringPtrInput - // User Attribute + // The value to set to the attribute. You can hardcode any value like 'foo'. AttributeValue pulumi.StringPtrInput ExtraConfig pulumi.MapInput - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias pulumi.StringPtrInput - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // Realm Name + // The realm ID that this mapper will exist in. Realm pulumi.StringPtrInput - // Is Attribute Related To a User Session + // Is Attribute related to a User Session. UserSession pulumi.BoolPtrInput } @@ -105,35 +160,35 @@ func (HardcodedAttributeIdentityProviderMapperState) ElementType() reflect.Type } type hardcodedAttributeIdentityProviderMapperArgs struct { - // OIDC Claim + // The name of the IDP attribute to set. AttributeName *string `pulumi:"attributeName"` - // User Attribute + // The value to set to the attribute. You can hardcode any value like 'foo'. AttributeValue *string `pulumi:"attributeValue"` ExtraConfig map[string]interface{} `pulumi:"extraConfig"` - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // Realm Name + // The realm ID that this mapper will exist in. Realm string `pulumi:"realm"` - // Is Attribute Related To a User Session + // Is Attribute related to a User Session. UserSession bool `pulumi:"userSession"` } // The set of arguments for constructing a HardcodedAttributeIdentityProviderMapper resource. type HardcodedAttributeIdentityProviderMapperArgs struct { - // OIDC Claim + // The name of the IDP attribute to set. AttributeName pulumi.StringPtrInput - // User Attribute + // The value to set to the attribute. You can hardcode any value like 'foo'. AttributeValue pulumi.StringPtrInput ExtraConfig pulumi.MapInput - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias pulumi.StringInput - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // Realm Name + // The realm ID that this mapper will exist in. Realm pulumi.StringInput - // Is Attribute Related To a User Session + // Is Attribute related to a User Session. UserSession pulumi.BoolInput } @@ -224,12 +279,12 @@ func (o HardcodedAttributeIdentityProviderMapperOutput) ToHardcodedAttributeIden return o } -// OIDC Claim +// The name of the IDP attribute to set. func (o HardcodedAttributeIdentityProviderMapperOutput) AttributeName() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedAttributeIdentityProviderMapper) pulumi.StringPtrOutput { return v.AttributeName }).(pulumi.StringPtrOutput) } -// User Attribute +// The value to set to the attribute. You can hardcode any value like 'foo'. func (o HardcodedAttributeIdentityProviderMapperOutput) AttributeValue() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedAttributeIdentityProviderMapper) pulumi.StringPtrOutput { return v.AttributeValue }).(pulumi.StringPtrOutput) } @@ -238,22 +293,22 @@ func (o HardcodedAttributeIdentityProviderMapperOutput) ExtraConfig() pulumi.Map return o.ApplyT(func(v *HardcodedAttributeIdentityProviderMapper) pulumi.MapOutput { return v.ExtraConfig }).(pulumi.MapOutput) } -// IDP Alias +// The IDP alias of the attribute to set. func (o HardcodedAttributeIdentityProviderMapperOutput) IdentityProviderAlias() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedAttributeIdentityProviderMapper) pulumi.StringOutput { return v.IdentityProviderAlias }).(pulumi.StringOutput) } -// IDP Mapper Name +// Display name of this mapper when displayed in the console. func (o HardcodedAttributeIdentityProviderMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedAttributeIdentityProviderMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// Realm Name +// The realm ID that this mapper will exist in. func (o HardcodedAttributeIdentityProviderMapperOutput) Realm() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedAttributeIdentityProviderMapper) pulumi.StringOutput { return v.Realm }).(pulumi.StringOutput) } -// Is Attribute Related To a User Session +// Is Attribute related to a User Session. func (o HardcodedAttributeIdentityProviderMapperOutput) UserSession() pulumi.BoolOutput { return o.ApplyT(func(v *HardcodedAttributeIdentityProviderMapper) pulumi.BoolOutput { return v.UserSession }).(pulumi.BoolOutput) } diff --git a/sdk/go/keycloak/hardcodedRoleIdentityMapper.go b/sdk/go/keycloak/hardcodedRoleIdentityMapper.go index f9ef9ed9..f33065e0 100644 --- a/sdk/go/keycloak/hardcodedRoleIdentityMapper.go +++ b/sdk/go/keycloak/hardcodedRoleIdentityMapper.go @@ -12,17 +12,77 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// Allows for creating and managing hardcoded role mappers for Keycloak identity provider. +// +// The identity provider hardcoded role mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// oidcIdentityProvider, err := oidc.NewIdentityProvider(ctx, "oidcIdentityProvider", &oidc.IdentityProviderArgs{ +// Realm: realm.ID(), +// Alias: pulumi.String("my-idp"), +// AuthorizationUrl: pulumi.String("https://authorizationurl.com"), +// ClientId: pulumi.String("clientID"), +// ClientSecret: pulumi.String("clientSecret"), +// TokenUrl: pulumi.String("https://tokenurl.com"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewRole(ctx, "realmRole", &keycloak.RoleArgs{ +// RealmId: realm.ID(), +// Description: pulumi.String("My Realm Role"), +// }) +// if err != nil { +// return err +// } +// _, err = keycloak.NewHardcodedRoleIdentityMapper(ctx, "oidcHardcodedRoleIdentityMapper", &keycloak.HardcodedRoleIdentityMapperArgs{ +// Realm: realm.ID(), +// IdentityProviderAlias: oidcIdentityProvider.Alias, +// Role: pulumi.String("my-realm-role"), +// ExtraConfig: pulumi.Map{ +// "syncMode": pulumi.Any("INHERIT"), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` type HardcodedRoleIdentityMapper struct { pulumi.CustomResourceState ExtraConfig pulumi.MapOutput `pulumi:"extraConfig"` - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias pulumi.StringOutput `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // Realm Name + // The realm ID that this mapper will exist in. Realm pulumi.StringOutput `pulumi:"realm"` - // Role Name + // The name of the role which should be assigned to the users. Role pulumi.StringPtrOutput `pulumi:"role"` } @@ -63,25 +123,25 @@ func GetHardcodedRoleIdentityMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering HardcodedRoleIdentityMapper resources. type hardcodedRoleIdentityMapperState struct { ExtraConfig map[string]interface{} `pulumi:"extraConfig"` - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias *string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // Realm Name + // The realm ID that this mapper will exist in. Realm *string `pulumi:"realm"` - // Role Name + // The name of the role which should be assigned to the users. Role *string `pulumi:"role"` } type HardcodedRoleIdentityMapperState struct { ExtraConfig pulumi.MapInput - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias pulumi.StringPtrInput - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // Realm Name + // The realm ID that this mapper will exist in. Realm pulumi.StringPtrInput - // Role Name + // The name of the role which should be assigned to the users. Role pulumi.StringPtrInput } @@ -91,26 +151,26 @@ func (HardcodedRoleIdentityMapperState) ElementType() reflect.Type { type hardcodedRoleIdentityMapperArgs struct { ExtraConfig map[string]interface{} `pulumi:"extraConfig"` - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias string `pulumi:"identityProviderAlias"` - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // Realm Name + // The realm ID that this mapper will exist in. Realm string `pulumi:"realm"` - // Role Name + // The name of the role which should be assigned to the users. Role *string `pulumi:"role"` } // The set of arguments for constructing a HardcodedRoleIdentityMapper resource. type HardcodedRoleIdentityMapperArgs struct { ExtraConfig pulumi.MapInput - // IDP Alias + // The IDP alias of the attribute to set. IdentityProviderAlias pulumi.StringInput - // IDP Mapper Name + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // Realm Name + // The realm ID that this mapper will exist in. Realm pulumi.StringInput - // Role Name + // The name of the role which should be assigned to the users. Role pulumi.StringPtrInput } @@ -205,22 +265,22 @@ func (o HardcodedRoleIdentityMapperOutput) ExtraConfig() pulumi.MapOutput { return o.ApplyT(func(v *HardcodedRoleIdentityMapper) pulumi.MapOutput { return v.ExtraConfig }).(pulumi.MapOutput) } -// IDP Alias +// The IDP alias of the attribute to set. func (o HardcodedRoleIdentityMapperOutput) IdentityProviderAlias() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleIdentityMapper) pulumi.StringOutput { return v.IdentityProviderAlias }).(pulumi.StringOutput) } -// IDP Mapper Name +// Display name of this mapper when displayed in the console. func (o HardcodedRoleIdentityMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleIdentityMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// Realm Name +// The realm ID that this mapper will exist in. func (o HardcodedRoleIdentityMapperOutput) Realm() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedRoleIdentityMapper) pulumi.StringOutput { return v.Realm }).(pulumi.StringOutput) } -// Role Name +// The name of the role which should be assigned to the users. func (o HardcodedRoleIdentityMapperOutput) Role() pulumi.StringPtrOutput { return o.ApplyT(func(v *HardcodedRoleIdentityMapper) pulumi.StringPtrOutput { return v.Role }).(pulumi.StringPtrOutput) } diff --git a/sdk/go/keycloak/ldap/hardcodedGroupMapper.go b/sdk/go/keycloak/ldap/hardcodedGroupMapper.go index 5dde6a9b..e8dfae42 100644 --- a/sdk/go/keycloak/ldap/hardcodedGroupMapper.go +++ b/sdk/go/keycloak/ldap/hardcodedGroupMapper.go @@ -12,16 +12,88 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// Allows for creating and managing hardcoded group mappers for Keycloak users federated via LDAP. +// +// The LDAP hardcoded group mapper will grant a specified Keycloak group to each Keycloak user linked with LDAP. +// +// ## Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/ldap" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// ldapUserFederation, err := ldap.NewUserFederation(ctx, "ldapUserFederation", &ldap.UserFederationArgs{ +// RealmId: realm.ID(), +// UsernameLdapAttribute: pulumi.String("cn"), +// RdnLdapAttribute: pulumi.String("cn"), +// UuidLdapAttribute: pulumi.String("entryDN"), +// UserObjectClasses: pulumi.StringArray{ +// pulumi.String("simpleSecurityObject"), +// pulumi.String("organizationalRole"), +// }, +// ConnectionUrl: pulumi.String("ldap://openldap"), +// UsersDn: pulumi.String("dc=example,dc=org"), +// BindDn: pulumi.String("cn=admin,dc=example,dc=org"), +// BindCredential: pulumi.String("admin"), +// }) +// if err != nil { +// return err +// } +// realmGroup, err := keycloak.NewGroup(ctx, "realmGroup", &keycloak.GroupArgs{ +// RealmId: realm.ID(), +// }) +// if err != nil { +// return err +// } +// _, err = ldap.NewHardcodedGroupMapper(ctx, "assignGroupToUsers", &ldap.HardcodedGroupMapperArgs{ +// RealmId: realm.ID(), +// LdapUserFederationId: ldapUserFederation.ID(), +// Group: realmGroup.Name, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ## Import +// +// LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash +// +// ```sh +// +// $ pulumi import keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper assign_group_to_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 +// +// ``` type HardcodedGroupMapper struct { pulumi.CustomResourceState - // Group to grant to user. + // The name of the group which should be assigned to the users. Group pulumi.StringOutput `pulumi:"group"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringOutput `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringOutput `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -64,24 +136,24 @@ func GetHardcodedGroupMapper(ctx *pulumi.Context, // Input properties used for looking up and filtering HardcodedGroupMapper resources. type hardcodedGroupMapperState struct { - // Group to grant to user. + // The name of the group which should be assigned to the users. Group *string `pulumi:"group"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId *string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId *string `pulumi:"realmId"` } type HardcodedGroupMapperState struct { - // Group to grant to user. + // The name of the group which should be assigned to the users. Group pulumi.StringPtrInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringPtrInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringPtrInput } @@ -90,25 +162,25 @@ func (HardcodedGroupMapperState) ElementType() reflect.Type { } type hardcodedGroupMapperArgs struct { - // Group to grant to user. + // The name of the group which should be assigned to the users. Group string `pulumi:"group"` - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId string `pulumi:"ldapUserFederationId"` - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name *string `pulumi:"name"` - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a HardcodedGroupMapper resource. type HardcodedGroupMapperArgs struct { - // Group to grant to user. + // The name of the group which should be assigned to the users. Group pulumi.StringInput - // The ldap user federation provider to attach this mapper to. + // The ID of the LDAP user federation provider to attach this mapper to. LdapUserFederationId pulumi.StringInput - // Display name of the mapper when displayed in the console. + // Display name of this mapper when displayed in the console. Name pulumi.StringPtrInput - // The realm in which the ldap user federation provider exists. + // The realm that this LDAP mapper will exist in. RealmId pulumi.StringInput } @@ -199,22 +271,22 @@ func (o HardcodedGroupMapperOutput) ToHardcodedGroupMapperOutputWithContext(ctx return o } -// Group to grant to user. +// The name of the group which should be assigned to the users. func (o HardcodedGroupMapperOutput) Group() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedGroupMapper) pulumi.StringOutput { return v.Group }).(pulumi.StringOutput) } -// The ldap user federation provider to attach this mapper to. +// The ID of the LDAP user federation provider to attach this mapper to. func (o HardcodedGroupMapperOutput) LdapUserFederationId() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedGroupMapper) pulumi.StringOutput { return v.LdapUserFederationId }).(pulumi.StringOutput) } -// Display name of the mapper when displayed in the console. +// Display name of this mapper when displayed in the console. func (o HardcodedGroupMapperOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedGroupMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm in which the ldap user federation provider exists. +// The realm that this LDAP mapper will exist in. func (o HardcodedGroupMapperOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *HardcodedGroupMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/audienceResolveProtocolMapper.go b/sdk/go/keycloak/openid/audienceResolveProtocolMapper.go new file mode 100644 index 00000000..91cdc40c --- /dev/null +++ b/sdk/go/keycloak/openid/audienceResolveProtocolMapper.go @@ -0,0 +1,378 @@ +// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT. +// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! *** + +package openid + +import ( + "context" + "reflect" + + "errors" + "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/internal" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +// Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. +// +// This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles +// to imply which audiences are appropriate for the token. See the +// [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. +// +// ## Example Usage +// ### Client) +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// openidClient, err := openid.NewClient(ctx, "openidClient", &openid.ClientArgs{ +// RealmId: realm.ID(), +// ClientId: pulumi.String("client"), +// Enabled: pulumi.Bool(true), +// AccessType: pulumi.String("CONFIDENTIAL"), +// ValidRedirectUris: pulumi.StringArray{ +// pulumi.String("http://localhost:8080/openid-callback"), +// }, +// }) +// if err != nil { +// return err +// } +// _, err = openid.NewAudienceResolveProtocolMapper(ctx, "audienceMapper", &openid.AudienceResolveProtocolMapperArgs{ +// RealmId: realm.ID(), +// ClientId: openidClient.ID(), +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// ### Client Scope) +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// clientScope, err := openid.NewClientScope(ctx, "clientScope", &openid.ClientScopeArgs{ +// RealmId: realm.ID(), +// }) +// if err != nil { +// return err +// } +// _, err = openid.NewAudienceProtocolMapper(ctx, "audienceMapper", &openid.AudienceProtocolMapperArgs{ +// RealmId: realm.ID(), +// ClientScopeId: clientScope.ID(), +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ## Import +// +// Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash +// +// ```sh +// +// $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// +// ``` +// +// ```sh +// +// $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 +// +// ``` +type AudienceResolveProtocolMapper struct { + pulumi.CustomResourceState + + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrOutput `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` + // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + Name pulumi.StringOutput `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId pulumi.StringOutput `pulumi:"realmId"` +} + +// NewAudienceResolveProtocolMapper registers a new resource with the given unique name, arguments, and options. +func NewAudienceResolveProtocolMapper(ctx *pulumi.Context, + name string, args *AudienceResolveProtocolMapperArgs, opts ...pulumi.ResourceOption) (*AudienceResolveProtocolMapper, error) { + if args == nil { + return nil, errors.New("missing one or more required arguments") + } + + if args.RealmId == nil { + return nil, errors.New("invalid value for required argument 'RealmId'") + } + aliases := pulumi.Aliases([]pulumi.Alias{ + { + Type: pulumi.String("keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter"), + }, + }) + opts = append(opts, aliases) + opts = internal.PkgResourceDefaultOpts(opts) + var resource AudienceResolveProtocolMapper + err := ctx.RegisterResource("keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper", name, args, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// GetAudienceResolveProtocolMapper gets an existing AudienceResolveProtocolMapper resource's state with the given name, ID, and optional +// state properties that are used to uniquely qualify the lookup (nil if not required). +func GetAudienceResolveProtocolMapper(ctx *pulumi.Context, + name string, id pulumi.IDInput, state *AudienceResolveProtocolMapperState, opts ...pulumi.ResourceOption) (*AudienceResolveProtocolMapper, error) { + var resource AudienceResolveProtocolMapper + err := ctx.ReadResource("keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper", name, id, state, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// Input properties used for looking up and filtering AudienceResolveProtocolMapper resources. +type audienceResolveProtocolMapperState struct { + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId *string `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId *string `pulumi:"clientScopeId"` + // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + Name *string `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId *string `pulumi:"realmId"` +} + +type AudienceResolveProtocolMapperState struct { + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrInput + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrInput + // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + Name pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringPtrInput +} + +func (AudienceResolveProtocolMapperState) ElementType() reflect.Type { + return reflect.TypeOf((*audienceResolveProtocolMapperState)(nil)).Elem() +} + +type audienceResolveProtocolMapperArgs struct { + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId *string `pulumi:"clientId"` + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId *string `pulumi:"clientScopeId"` + // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + Name *string `pulumi:"name"` + // The realm this protocol mapper exists within. + RealmId string `pulumi:"realmId"` +} + +// The set of arguments for constructing a AudienceResolveProtocolMapper resource. +type AudienceResolveProtocolMapperArgs struct { + // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + ClientId pulumi.StringPtrInput + // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + ClientScopeId pulumi.StringPtrInput + // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + Name pulumi.StringPtrInput + // The realm this protocol mapper exists within. + RealmId pulumi.StringInput +} + +func (AudienceResolveProtocolMapperArgs) ElementType() reflect.Type { + return reflect.TypeOf((*audienceResolveProtocolMapperArgs)(nil)).Elem() +} + +type AudienceResolveProtocolMapperInput interface { + pulumi.Input + + ToAudienceResolveProtocolMapperOutput() AudienceResolveProtocolMapperOutput + ToAudienceResolveProtocolMapperOutputWithContext(ctx context.Context) AudienceResolveProtocolMapperOutput +} + +func (*AudienceResolveProtocolMapper) ElementType() reflect.Type { + return reflect.TypeOf((**AudienceResolveProtocolMapper)(nil)).Elem() +} + +func (i *AudienceResolveProtocolMapper) ToAudienceResolveProtocolMapperOutput() AudienceResolveProtocolMapperOutput { + return i.ToAudienceResolveProtocolMapperOutputWithContext(context.Background()) +} + +func (i *AudienceResolveProtocolMapper) ToAudienceResolveProtocolMapperOutputWithContext(ctx context.Context) AudienceResolveProtocolMapperOutput { + return pulumi.ToOutputWithContext(ctx, i).(AudienceResolveProtocolMapperOutput) +} + +// AudienceResolveProtocolMapperArrayInput is an input type that accepts AudienceResolveProtocolMapperArray and AudienceResolveProtocolMapperArrayOutput values. +// You can construct a concrete instance of `AudienceResolveProtocolMapperArrayInput` via: +// +// AudienceResolveProtocolMapperArray{ AudienceResolveProtocolMapperArgs{...} } +type AudienceResolveProtocolMapperArrayInput interface { + pulumi.Input + + ToAudienceResolveProtocolMapperArrayOutput() AudienceResolveProtocolMapperArrayOutput + ToAudienceResolveProtocolMapperArrayOutputWithContext(context.Context) AudienceResolveProtocolMapperArrayOutput +} + +type AudienceResolveProtocolMapperArray []AudienceResolveProtocolMapperInput + +func (AudienceResolveProtocolMapperArray) ElementType() reflect.Type { + return reflect.TypeOf((*[]*AudienceResolveProtocolMapper)(nil)).Elem() +} + +func (i AudienceResolveProtocolMapperArray) ToAudienceResolveProtocolMapperArrayOutput() AudienceResolveProtocolMapperArrayOutput { + return i.ToAudienceResolveProtocolMapperArrayOutputWithContext(context.Background()) +} + +func (i AudienceResolveProtocolMapperArray) ToAudienceResolveProtocolMapperArrayOutputWithContext(ctx context.Context) AudienceResolveProtocolMapperArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(AudienceResolveProtocolMapperArrayOutput) +} + +// AudienceResolveProtocolMapperMapInput is an input type that accepts AudienceResolveProtocolMapperMap and AudienceResolveProtocolMapperMapOutput values. +// You can construct a concrete instance of `AudienceResolveProtocolMapperMapInput` via: +// +// AudienceResolveProtocolMapperMap{ "key": AudienceResolveProtocolMapperArgs{...} } +type AudienceResolveProtocolMapperMapInput interface { + pulumi.Input + + ToAudienceResolveProtocolMapperMapOutput() AudienceResolveProtocolMapperMapOutput + ToAudienceResolveProtocolMapperMapOutputWithContext(context.Context) AudienceResolveProtocolMapperMapOutput +} + +type AudienceResolveProtocolMapperMap map[string]AudienceResolveProtocolMapperInput + +func (AudienceResolveProtocolMapperMap) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*AudienceResolveProtocolMapper)(nil)).Elem() +} + +func (i AudienceResolveProtocolMapperMap) ToAudienceResolveProtocolMapperMapOutput() AudienceResolveProtocolMapperMapOutput { + return i.ToAudienceResolveProtocolMapperMapOutputWithContext(context.Background()) +} + +func (i AudienceResolveProtocolMapperMap) ToAudienceResolveProtocolMapperMapOutputWithContext(ctx context.Context) AudienceResolveProtocolMapperMapOutput { + return pulumi.ToOutputWithContext(ctx, i).(AudienceResolveProtocolMapperMapOutput) +} + +type AudienceResolveProtocolMapperOutput struct{ *pulumi.OutputState } + +func (AudienceResolveProtocolMapperOutput) ElementType() reflect.Type { + return reflect.TypeOf((**AudienceResolveProtocolMapper)(nil)).Elem() +} + +func (o AudienceResolveProtocolMapperOutput) ToAudienceResolveProtocolMapperOutput() AudienceResolveProtocolMapperOutput { + return o +} + +func (o AudienceResolveProtocolMapperOutput) ToAudienceResolveProtocolMapperOutputWithContext(ctx context.Context) AudienceResolveProtocolMapperOutput { + return o +} + +// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. +func (o AudienceResolveProtocolMapperOutput) ClientId() pulumi.StringPtrOutput { + return o.ApplyT(func(v *AudienceResolveProtocolMapper) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) +} + +// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. +func (o AudienceResolveProtocolMapperOutput) ClientScopeId() pulumi.StringPtrOutput { + return o.ApplyT(func(v *AudienceResolveProtocolMapper) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) +} + +// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". +func (o AudienceResolveProtocolMapperOutput) Name() pulumi.StringOutput { + return o.ApplyT(func(v *AudienceResolveProtocolMapper) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) +} + +// The realm this protocol mapper exists within. +func (o AudienceResolveProtocolMapperOutput) RealmId() pulumi.StringOutput { + return o.ApplyT(func(v *AudienceResolveProtocolMapper) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) +} + +type AudienceResolveProtocolMapperArrayOutput struct{ *pulumi.OutputState } + +func (AudienceResolveProtocolMapperArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]*AudienceResolveProtocolMapper)(nil)).Elem() +} + +func (o AudienceResolveProtocolMapperArrayOutput) ToAudienceResolveProtocolMapperArrayOutput() AudienceResolveProtocolMapperArrayOutput { + return o +} + +func (o AudienceResolveProtocolMapperArrayOutput) ToAudienceResolveProtocolMapperArrayOutputWithContext(ctx context.Context) AudienceResolveProtocolMapperArrayOutput { + return o +} + +func (o AudienceResolveProtocolMapperArrayOutput) Index(i pulumi.IntInput) AudienceResolveProtocolMapperOutput { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) *AudienceResolveProtocolMapper { + return vs[0].([]*AudienceResolveProtocolMapper)[vs[1].(int)] + }).(AudienceResolveProtocolMapperOutput) +} + +type AudienceResolveProtocolMapperMapOutput struct{ *pulumi.OutputState } + +func (AudienceResolveProtocolMapperMapOutput) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*AudienceResolveProtocolMapper)(nil)).Elem() +} + +func (o AudienceResolveProtocolMapperMapOutput) ToAudienceResolveProtocolMapperMapOutput() AudienceResolveProtocolMapperMapOutput { + return o +} + +func (o AudienceResolveProtocolMapperMapOutput) ToAudienceResolveProtocolMapperMapOutputWithContext(ctx context.Context) AudienceResolveProtocolMapperMapOutput { + return o +} + +func (o AudienceResolveProtocolMapperMapOutput) MapIndex(k pulumi.StringInput) AudienceResolveProtocolMapperOutput { + return pulumi.All(o, k).ApplyT(func(vs []interface{}) *AudienceResolveProtocolMapper { + return vs[0].(map[string]*AudienceResolveProtocolMapper)[vs[1].(string)] + }).(AudienceResolveProtocolMapperOutput) +} + +func init() { + pulumi.RegisterInputType(reflect.TypeOf((*AudienceResolveProtocolMapperInput)(nil)).Elem(), &AudienceResolveProtocolMapper{}) + pulumi.RegisterInputType(reflect.TypeOf((*AudienceResolveProtocolMapperArrayInput)(nil)).Elem(), AudienceResolveProtocolMapperArray{}) + pulumi.RegisterInputType(reflect.TypeOf((*AudienceResolveProtocolMapperMapInput)(nil)).Elem(), AudienceResolveProtocolMapperMap{}) + pulumi.RegisterOutputType(AudienceResolveProtocolMapperOutput{}) + pulumi.RegisterOutputType(AudienceResolveProtocolMapperArrayOutput{}) + pulumi.RegisterOutputType(AudienceResolveProtocolMapperMapOutput{}) +} diff --git a/sdk/go/keycloak/openid/audienceResolveProtocolMappter.go b/sdk/go/keycloak/openid/audienceResolveProtocolMappter.go index 74515621..dd5513d1 100644 --- a/sdk/go/keycloak/openid/audienceResolveProtocolMappter.go +++ b/sdk/go/keycloak/openid/audienceResolveProtocolMappter.go @@ -12,125 +12,17 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. -// -// This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles -// to imply which audiences are appropriate for the token. See the -// [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. -// -// ## Example Usage -// ### Client) -// -// ```go -// package main -// -// import ( -// -// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" -// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" -// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" -// -// ) -// -// func main() { -// pulumi.Run(func(ctx *pulumi.Context) error { -// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("my-realm"), -// Enabled: pulumi.Bool(true), -// }) -// if err != nil { -// return err -// } -// openidClient, err := openid.NewClient(ctx, "openidClient", &openid.ClientArgs{ -// RealmId: realm.ID(), -// ClientId: pulumi.String("client"), -// Enabled: pulumi.Bool(true), -// AccessType: pulumi.String("CONFIDENTIAL"), -// ValidRedirectUris: pulumi.StringArray{ -// pulumi.String("http://localhost:8080/openid-callback"), -// }, -// }) -// if err != nil { -// return err -// } -// _, err = openid.NewAudienceResolveProtocolMappter(ctx, "audienceMapper", &openid.AudienceResolveProtocolMappterArgs{ -// RealmId: realm.ID(), -// ClientId: openidClient.ID(), -// }) -// if err != nil { -// return err -// } -// return nil -// }) -// } -// -// ``` -// ### Client Scope) -// -// ```go -// package main -// -// import ( -// -// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" -// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" -// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" -// -// ) -// -// func main() { -// pulumi.Run(func(ctx *pulumi.Context) error { -// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ -// Realm: pulumi.String("my-realm"), -// Enabled: pulumi.Bool(true), -// }) -// if err != nil { -// return err -// } -// clientScope, err := openid.NewClientScope(ctx, "clientScope", &openid.ClientScopeArgs{ -// RealmId: realm.ID(), -// }) -// if err != nil { -// return err -// } -// _, err = openid.NewAudienceProtocolMapper(ctx, "audienceMapper", &openid.AudienceProtocolMapperArgs{ -// RealmId: realm.ID(), -// ClientScopeId: clientScope.ID(), -// }) -// if err != nil { -// return err -// } -// return nil -// }) -// } -// -// ``` -// -// ## Import -// -// Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash -// -// ```sh -// -// $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -// -// ``` -// -// ```sh -// -// $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -// -// ``` +// Deprecated: keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper type AudienceResolveProtocolMappter struct { pulumi.CustomResourceState - // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client. Cannot be used at the same time as client_scope_id. ClientId pulumi.StringPtrOutput `pulumi:"clientId"` - // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` - // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + // A human-friendly name that will appear in the Keycloak console. Name pulumi.StringOutput `pulumi:"name"` - // The realm this protocol mapper exists within. + // The realm id where the associated client or client scope exists. RealmId pulumi.StringOutput `pulumi:"realmId"` } @@ -167,24 +59,24 @@ func GetAudienceResolveProtocolMappter(ctx *pulumi.Context, // Input properties used for looking up and filtering AudienceResolveProtocolMappter resources. type audienceResolveProtocolMappterState struct { - // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client. Cannot be used at the same time as client_scope_id. ClientId *string `pulumi:"clientId"` - // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId *string `pulumi:"clientScopeId"` - // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + // A human-friendly name that will appear in the Keycloak console. Name *string `pulumi:"name"` - // The realm this protocol mapper exists within. + // The realm id where the associated client or client scope exists. RealmId *string `pulumi:"realmId"` } type AudienceResolveProtocolMappterState struct { - // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client. Cannot be used at the same time as client_scope_id. ClientId pulumi.StringPtrInput - // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId pulumi.StringPtrInput - // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + // A human-friendly name that will appear in the Keycloak console. Name pulumi.StringPtrInput - // The realm this protocol mapper exists within. + // The realm id where the associated client or client scope exists. RealmId pulumi.StringPtrInput } @@ -193,25 +85,25 @@ func (AudienceResolveProtocolMappterState) ElementType() reflect.Type { } type audienceResolveProtocolMappterArgs struct { - // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client. Cannot be used at the same time as client_scope_id. ClientId *string `pulumi:"clientId"` - // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId *string `pulumi:"clientScopeId"` - // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + // A human-friendly name that will appear in the Keycloak console. Name *string `pulumi:"name"` - // The realm this protocol mapper exists within. + // The realm id where the associated client or client scope exists. RealmId string `pulumi:"realmId"` } // The set of arguments for constructing a AudienceResolveProtocolMappter resource. type AudienceResolveProtocolMappterArgs struct { - // The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client. Cannot be used at the same time as client_scope_id. ClientId pulumi.StringPtrInput - // The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + // The mapper's associated client scope. Cannot be used at the same time as client_id. ClientScopeId pulumi.StringPtrInput - // The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + // A human-friendly name that will appear in the Keycloak console. Name pulumi.StringPtrInput - // The realm this protocol mapper exists within. + // The realm id where the associated client or client scope exists. RealmId pulumi.StringInput } @@ -302,22 +194,22 @@ func (o AudienceResolveProtocolMappterOutput) ToAudienceResolveProtocolMappterOu return o } -// The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. +// The mapper's associated client. Cannot be used at the same time as client_scope_id. func (o AudienceResolveProtocolMappterOutput) ClientId() pulumi.StringPtrOutput { return o.ApplyT(func(v *AudienceResolveProtocolMappter) pulumi.StringPtrOutput { return v.ClientId }).(pulumi.StringPtrOutput) } -// The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. +// The mapper's associated client scope. Cannot be used at the same time as client_id. func (o AudienceResolveProtocolMappterOutput) ClientScopeId() pulumi.StringPtrOutput { return o.ApplyT(func(v *AudienceResolveProtocolMappter) pulumi.StringPtrOutput { return v.ClientScopeId }).(pulumi.StringPtrOutput) } -// The display name of this protocol mapper in the GUI. Defaults to "audience resolve". +// A human-friendly name that will appear in the Keycloak console. func (o AudienceResolveProtocolMappterOutput) Name() pulumi.StringOutput { return o.ApplyT(func(v *AudienceResolveProtocolMappter) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) } -// The realm this protocol mapper exists within. +// The realm id where the associated client or client scope exists. func (o AudienceResolveProtocolMappterOutput) RealmId() pulumi.StringOutput { return o.ApplyT(func(v *AudienceResolveProtocolMappter) pulumi.StringOutput { return v.RealmId }).(pulumi.StringOutput) } diff --git a/sdk/go/keycloak/openid/clientAuthorizationPermission.go b/sdk/go/keycloak/openid/clientAuthorizationPermission.go index 267a4bff..84c9c45d 100644 --- a/sdk/go/keycloak/openid/clientAuthorizationPermission.go +++ b/sdk/go/keycloak/openid/clientAuthorizationPermission.go @@ -12,6 +12,115 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// ## # openid.ClientAuthorizationPermission +// +// Allows you to manage openid Client Authorization Permissions. +// +// ### Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("my-realm"), +// Enabled: pulumi.Bool(true), +// }) +// if err != nil { +// return err +// } +// testClient, err := openid.NewClient(ctx, "testClient", &openid.ClientArgs{ +// ClientId: pulumi.String("client_id"), +// RealmId: realm.ID(), +// AccessType: pulumi.String("CONFIDENTIAL"), +// ServiceAccountsEnabled: pulumi.Bool(true), +// Authorization: &openid.ClientAuthorizationArgs{ +// PolicyEnforcementMode: pulumi.String("ENFORCING"), +// }, +// }) +// if err != nil { +// return err +// } +// _default := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{ +// RealmId: realm.ID(), +// ResourceServerId: testClient.ResourceServerId, +// Name: pulumi.String("default"), +// }, nil); +// testClientAuthorizationResource, err := openid.NewClientAuthorizationResource(ctx, "testClientAuthorizationResource", &openid.ClientAuthorizationResourceArgs{ +// ResourceServerId: testClient.ResourceServerId, +// RealmId: realm.ID(), +// Uris: pulumi.StringArray{ +// pulumi.String("/endpoint/*"), +// }, +// }) +// if err != nil { +// return err +// } +// _, err = openid.NewClientAuthorizationScope(ctx, "testClientAuthorizationScope", &openid.ClientAuthorizationScopeArgs{ +// ResourceServerId: testClient.ResourceServerId, +// RealmId: realm.ID(), +// }) +// if err != nil { +// return err +// } +// _, err = openid.NewClientAuthorizationPermission(ctx, "testClientAuthorizationPermission", &openid.ClientAuthorizationPermissionArgs{ +// ResourceServerId: testClient.ResourceServerId, +// RealmId: realm.ID(), +// Policies: pulumi.StringArray{ +// _default.ApplyT(func(_default openid.GetClientAuthorizationPolicyResult) (*string, error) { +// return &default.Id, nil +// }).(pulumi.StringPtrOutput), +// }, +// Resources: pulumi.StringArray{ +// testClientAuthorizationResource.ID(), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// ``` +// +// ### Argument Reference +// +// The following arguments are supported: +// +// - `realmId` - (Required) The realm this group exists in. +// - `resourceServerId` - (Required) The ID of the resource server. +// - `name` - (Required) The name of the permission. +// - `description` - (Optional) A description for the authorization permission. +// - `decisionStrategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`. +// - `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission. +// - `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resourceType`. +// - `resourceType` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`. +// - `scopes` - (Optional) A list of scope IDs that this permission must be applied to. +// - `type` - (Optional) The type of permission, can be one of `resource` or `scope`. +// +// ### Attributes Reference +// +// In addition to the arguments listed above, the following computed attributes are exported: +// +// - `id` - Permission ID representing the permission. +// +// ## Import +// +// Client authorization permissions can be imported using the format`{{realmId}}/{{resourceServerId}}/{{permissionId}}`. Examplebash +// +// ```sh +// +// $ pulumi import keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9 +// +// ``` type ClientAuthorizationPermission struct { pulumi.CustomResourceState diff --git a/sdk/go/keycloak/openid/clientPermissions.go b/sdk/go/keycloak/openid/clientPermissions.go index 6bf7cf89..09c67f88 100644 --- a/sdk/go/keycloak/openid/clientPermissions.go +++ b/sdk/go/keycloak/openid/clientPermissions.go @@ -12,6 +12,140 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// ## # openid.ClientPermissions +// +// Allows you to manage all openid client Scope Based Permissions. +// +// This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More +// information about enabling the preview feature can be found +// here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange +// +// When enabling Openid Client Permissions, Keycloak does several things automatically: +// +// 1. Enable Authorization on build-in realm-management client +// 2. Create scopes "view", "manage", "configure", "map-roles", "map-roles-client-scope", "map-roles-composite", " +// token-exchange" +// 3. Create a resource representing the openid client +// 4. Create all scope based permission for the scopes and openid client resource +// +// If the realm-management Authorization is not enable, you have to ceate a dependency (`dependsOn`) with the policy and +// the openid client. +// +// ### Example Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak" +// "github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ +// Realm: pulumi.String("realm"), +// }) +// if err != nil { +// return err +// } +// myOpenidClient, err := openid.NewClient(ctx, "myOpenidClient", &openid.ClientArgs{ +// RealmId: realm.ID(), +// ClientId: pulumi.String("my_openid_client"), +// ClientSecret: pulumi.String("secret"), +// AccessType: pulumi.String("CONFIDENTIAL"), +// StandardFlowEnabled: pulumi.Bool(true), +// ValidRedirectUris: pulumi.StringArray{ +// pulumi.String("http://localhost:8080/*"), +// }, +// }) +// if err != nil { +// return err +// } +// realmManagement := openid.LookupClientOutput(ctx, openid.GetClientOutputArgs{ +// RealmId: realm.ID(), +// ClientId: pulumi.String("realm-management"), +// }, nil) +// testUser, err := keycloak.NewUser(ctx, "testUser", &keycloak.UserArgs{ +// RealmId: realm.ID(), +// Username: pulumi.String("test-user"), +// Email: pulumi.String("test-user@fakedomain.com"), +// FirstName: pulumi.String("Testy"), +// LastName: pulumi.String("Tester"), +// }) +// if err != nil { +// return err +// } +// testClientUserPolicy, err := openid.NewClientUserPolicy(ctx, "testClientUserPolicy", &openid.ClientUserPolicyArgs{ +// ResourceServerId: realmManagement.ApplyT(func(realmManagement openid.GetClientResult) (*string, error) { +// return &realmManagement.Id, nil +// }).(pulumi.StringPtrOutput), +// RealmId: realm.ID(), +// Users: pulumi.StringArray{ +// testUser.ID(), +// }, +// Logic: pulumi.String("POSITIVE"), +// DecisionStrategy: pulumi.String("UNANIMOUS"), +// }, pulumi.DependsOn([]pulumi.Resource{ +// myOpenidClient, +// })) +// if err != nil { +// return err +// } +// _, err = openid.NewClientPermissions(ctx, "myPermission", &openid.ClientPermissionsArgs{ +// RealmId: realm.ID(), +// ClientId: myOpenidClient.ID(), +// ViewScope: &openid.ClientPermissionsViewScopeArgs{ +// Policies: pulumi.StringArray{ +// testClientUserPolicy.ID(), +// }, +// Description: pulumi.String("my description"), +// DecisionStrategy: pulumi.String("UNANIMOUS"), +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ### Argument Reference +// +// The following arguments are supported: +// +// - `realmId` - (Required) The realm this group exists in. +// - `clientId` - (Required) The id of the client that provides the role. +// +// #### Permission Scopes +// +// Permission scopes can be defined using the following attributes: +// +// - `viewScope` +// - `manageScope` +// - `configureScope` +// - `mapRolesScope` +// - `mapRolesClientScopeScope` +// - `mapRolesCompositeScope` +// - `tokenExchangeScope` +// +// Each of these attributes have the following schema: +// +// - `policies` - (Optional) A list of policy IDs +// - `description` - (Optional) A description for the permission scope +// - `decisionStrategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. +// +// ### Attributes Reference +// +// In addition to the arguments listed above, the following computed attributes are exported: +// +// - `authorizationResourceServerId` - Resource server id representing the realm management client on which this +// permission is managed. type ClientPermissions struct { pulumi.CustomResourceState diff --git a/sdk/go/keycloak/openid/init.go b/sdk/go/keycloak/openid/init.go index da7efa06..4fe2fb0c 100644 --- a/sdk/go/keycloak/openid/init.go +++ b/sdk/go/keycloak/openid/init.go @@ -23,6 +23,8 @@ func (m *module) Construct(ctx *pulumi.Context, name, typ, urn string) (r pulumi switch typ { case "keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper": r = &AudienceProtocolMapper{} + case "keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper": + r = &AudienceResolveProtocolMapper{} case "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter": r = &AudienceResolveProtocolMappter{} case "keycloak:openid/client:Client": @@ -97,6 +99,11 @@ func init() { "openid/audienceProtocolMapper", &module{version}, ) + pulumi.RegisterResourceModule( + "keycloak", + "openid/audienceResolveProtocolMapper", + &module{version}, + ) pulumi.RegisterResourceModule( "keycloak", "openid/audienceResolveProtocolMappter", diff --git a/sdk/go/keycloak/usersPermissions.go b/sdk/go/keycloak/usersPermissions.go index 347f16a4..dd0f449f 100644 --- a/sdk/go/keycloak/usersPermissions.go +++ b/sdk/go/keycloak/usersPermissions.go @@ -12,6 +12,34 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// ## Example Usage +// ### Argument Reference +// +// The following arguments are supported: +// +// - `realmId` - (Required) The realm in which to manage fine-grained user permissions. +// +// Each of the scopes that can be managed are defined below: +// +// - `viewScope` - (Optional) When specified, set the scope based view permission. +// - `manageScope` - (Optional) When specified, set the scope based manage permission. +// - `mapRolesScope` - (Optional) When specified, set the scope based mapRoles permission. +// - `manageGroupMembershipScope` - (Optional) When specified, set the scope based manageGroupMembership permission. +// - `impersonateScope` - (Optional) When specified, set the scope based impersonate permission. +// - `userImpersonatedScope` - (Optional) When specified, set the scope based userImpersonated permission. +// +// The configuration block for each of these scopes supports the following arguments: +// +// - `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. +// - `description` - (Optional) Description of the permission. +// - `decisionStrategy` - (Optional) Decision strategy of the permission. +// +// ### Attributes Reference +// +// In addition to the arguments listed above, the following computed attributes are exported: +// +// - `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`. +// - `authorizationResourceServerId` - Resource server id representing the realm management client on which these permissions are managed. type UsersPermissions struct { pulumi.CustomResourceState diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapper.java index d50bd13f..a6ba6f09 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapper.java @@ -16,45 +16,120 @@ import java.util.Optional; import javax.annotation.Nullable; +/** + * Allows for creating and managing an attribute to role identity provider mapper within Keycloak. + * + * > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. + * + * ## Example Usage + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.oidc.IdentityProvider; + * import com.pulumi.keycloak.oidc.IdentityProviderArgs; + * import com.pulumi.keycloak.Role; + * import com.pulumi.keycloak.RoleArgs; + * import com.pulumi.keycloak.AttributeToRoleIdentityMapper; + * import com.pulumi.keycloak.AttributeToRoleIdentityMapperArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .enabled(true) + * .build()); + * + * var oidcIdentityProvider = new IdentityProvider("oidcIdentityProvider", IdentityProviderArgs.builder() + * .realm(realm.id()) + * .alias("oidc") + * .authorizationUrl("https://example.com/auth") + * .tokenUrl("https://example.com/token") + * .clientId("example_id") + * .clientSecret("example_token") + * .defaultScopes("openid random profile") + * .build()); + * + * var realmRole = new Role("realmRole", RoleArgs.builder() + * .realmId(realm.id()) + * .description("My Realm Role") + * .build()); + * + * var oidcAttributeToRoleIdentityMapper = new AttributeToRoleIdentityMapper("oidcAttributeToRoleIdentityMapper", AttributeToRoleIdentityMapperArgs.builder() + * .realm(realm.id()) + * .identityProviderAlias(oidcIdentityProvider.alias()) + * .role("my-realm-role") + * .claimName("my-claim") + * .claimValue("my-value") + * .extraConfig(Map.of("syncMode", "INHERIT")) + * .build()); + * + * } + * } + * ``` + * + * ## Import + * + * Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Examplebash + * + * ```sh + * $ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + * ``` + * + */ @ResourceType(type="keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper") public class AttributeToRoleIdentityMapper extends com.pulumi.resources.CustomResource { /** - * Attribute Friendly Name + * Attribute Friendly Name. Conflicts with `attribute_name`. * */ @Export(name="attributeFriendlyName", refs={String.class}, tree="[0]") private Output attributeFriendlyName; /** - * @return Attribute Friendly Name + * @return Attribute Friendly Name. Conflicts with `attribute_name`. * */ public Output> attributeFriendlyName() { return Codegen.optional(this.attributeFriendlyName); } /** - * Attribute Name + * Attribute Name. * */ @Export(name="attributeName", refs={String.class}, tree="[0]") private Output attributeName; /** - * @return Attribute Name + * @return Attribute Name. * */ public Output> attributeName() { return Codegen.optional(this.attributeName); } /** - * Attribute Value + * Attribute Value. * */ @Export(name="attributeValue", refs={String.class}, tree="[0]") private Output attributeValue; /** - * @return Attribute Value + * @return Attribute Value. * */ public Output> attributeValue() { @@ -88,63 +163,71 @@ public Output> claimName() { public Output> claimValue() { return Codegen.optional(this.claimValue); } + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ @Export(name="extraConfig", refs={Map.class,String.class,Object.class}, tree="[0,1,2]") private Output> extraConfig; + /** + * @return Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ public Output>> extraConfig() { return Codegen.optional(this.extraConfig); } /** - * IDP Alias + * The alias of the associated identity provider. * */ @Export(name="identityProviderAlias", refs={String.class}, tree="[0]") private Output identityProviderAlias; /** - * @return IDP Alias + * @return The alias of the associated identity provider. * */ public Output identityProviderAlias() { return this.identityProviderAlias; } /** - * IDP Mapper Name + * The name of the mapper. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return IDP Mapper Name + * @return The name of the mapper. * */ public Output name() { return this.name; } /** - * Realm Name + * The name of the realm. * */ @Export(name="realm", refs={String.class}, tree="[0]") private Output realm; /** - * @return Realm Name + * @return The name of the realm. * */ public Output realm() { return this.realm; } /** - * Role Name + * Role Name. * */ @Export(name="role", refs={String.class}, tree="[0]") private Output role; /** - * @return Role Name + * @return Role Name. * */ public Output role() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapperArgs.java index df73f1dd..19466dbb 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/AttributeToRoleIdentityMapperArgs.java @@ -18,14 +18,14 @@ public final class AttributeToRoleIdentityMapperArgs extends com.pulumi.resource public static final AttributeToRoleIdentityMapperArgs Empty = new AttributeToRoleIdentityMapperArgs(); /** - * Attribute Friendly Name + * Attribute Friendly Name. Conflicts with `attribute_name`. * */ @Import(name="attributeFriendlyName") private @Nullable Output attributeFriendlyName; /** - * @return Attribute Friendly Name + * @return Attribute Friendly Name. Conflicts with `attribute_name`. * */ public Optional> attributeFriendlyName() { @@ -33,14 +33,14 @@ public Optional> attributeFriendlyName() { } /** - * Attribute Name + * Attribute Name. * */ @Import(name="attributeName") private @Nullable Output attributeName; /** - * @return Attribute Name + * @return Attribute Name. * */ public Optional> attributeName() { @@ -48,14 +48,14 @@ public Optional> attributeName() { } /** - * Attribute Value + * Attribute Value. * */ @Import(name="attributeValue") private @Nullable Output attributeValue; /** - * @return Attribute Value + * @return Attribute Value. * */ public Optional> attributeValue() { @@ -92,22 +92,30 @@ public Optional> claimValue() { return Optional.ofNullable(this.claimValue); } + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ @Import(name="extraConfig") private @Nullable Output> extraConfig; + /** + * @return Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } /** - * IDP Alias + * The alias of the associated identity provider. * */ @Import(name="identityProviderAlias", required=true) private Output identityProviderAlias; /** - * @return IDP Alias + * @return The alias of the associated identity provider. * */ public Output identityProviderAlias() { @@ -115,14 +123,14 @@ public Output identityProviderAlias() { } /** - * IDP Mapper Name + * The name of the mapper. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return The name of the mapper. * */ public Optional> name() { @@ -130,14 +138,14 @@ public Optional> name() { } /** - * Realm Name + * The name of the realm. * */ @Import(name="realm", required=true) private Output realm; /** - * @return Realm Name + * @return The name of the realm. * */ public Output realm() { @@ -145,14 +153,14 @@ public Output realm() { } /** - * Role Name + * Role Name. * */ @Import(name="role", required=true) private Output role; /** - * @return Role Name + * @return Role Name. * */ public Output role() { @@ -193,7 +201,7 @@ public Builder(AttributeToRoleIdentityMapperArgs defaults) { } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName Attribute Friendly Name. Conflicts with `attribute_name`. * * @return builder * @@ -204,7 +212,7 @@ public Builder attributeFriendlyName(@Nullable Output attributeFriendlyN } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName Attribute Friendly Name. Conflicts with `attribute_name`. * * @return builder * @@ -214,7 +222,7 @@ public Builder attributeFriendlyName(String attributeFriendlyName) { } /** - * @param attributeName Attribute Name + * @param attributeName Attribute Name. * * @return builder * @@ -225,7 +233,7 @@ public Builder attributeName(@Nullable Output attributeName) { } /** - * @param attributeName Attribute Name + * @param attributeName Attribute Name. * * @return builder * @@ -235,7 +243,7 @@ public Builder attributeName(String attributeName) { } /** - * @param attributeValue Attribute Value + * @param attributeValue Attribute Value. * * @return builder * @@ -246,7 +254,7 @@ public Builder attributeValue(@Nullable Output attributeValue) { } /** - * @param attributeValue Attribute Value + * @param attributeValue Attribute Value. * * @return builder * @@ -297,17 +305,29 @@ public Builder claimValue(String claimValue) { return claimValue(Output.of(claimValue)); } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(@Nullable Output> extraConfig) { $.extraConfig = extraConfig; return this; } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -318,7 +338,7 @@ public Builder identityProviderAlias(Output identityProviderAlias) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -328,7 +348,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -339,7 +359,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -349,7 +369,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -360,7 +380,7 @@ public Builder realm(Output realm) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -370,7 +390,7 @@ public Builder realm(String realm) { } /** - * @param role Role Name + * @param role Role Name. * * @return builder * @@ -381,7 +401,7 @@ public Builder role(Output role) { } /** - * @param role Role Name + * @param role Role Name. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapper.java index 90d957ad..33d1584b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapper.java @@ -17,31 +17,90 @@ import java.util.Optional; import javax.annotation.Nullable; +/** + * Allows for creating and managing hardcoded attribute mappers for Keycloak identity provider. + * + * The identity provider hardcoded attribute mapper will set the specified value to the IDP attribute. + * + * ## Example Usage + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.oidc.IdentityProvider; + * import com.pulumi.keycloak.oidc.IdentityProviderArgs; + * import com.pulumi.keycloak.HardcodedAttributeIdentityProviderMapper; + * import com.pulumi.keycloak.HardcodedAttributeIdentityProviderMapperArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .enabled(true) + * .build()); + * + * var oidcIdentityProvider = new IdentityProvider("oidcIdentityProvider", IdentityProviderArgs.builder() + * .realm(realm.id()) + * .alias("my-idp") + * .authorizationUrl("https://authorizationurl.com") + * .clientId("clientID") + * .clientSecret("clientSecret") + * .tokenUrl("https://tokenurl.com") + * .build()); + * + * var oidcHardcodedAttributeIdentityProviderMapper = new HardcodedAttributeIdentityProviderMapper("oidcHardcodedAttributeIdentityProviderMapper", HardcodedAttributeIdentityProviderMapperArgs.builder() + * .realm(realm.id()) + * .identityProviderAlias(oidcIdentityProvider.alias()) + * .attributeName("attribute") + * .attributeValue("value") + * .userSession(true) + * .extraConfig(Map.of("syncMode", "INHERIT")) + * .build()); + * + * } + * } + * ``` + * + */ @ResourceType(type="keycloak:index/hardcodedAttributeIdentityProviderMapper:HardcodedAttributeIdentityProviderMapper") public class HardcodedAttributeIdentityProviderMapper extends com.pulumi.resources.CustomResource { /** - * OIDC Claim + * The name of the IDP attribute to set. * */ @Export(name="attributeName", refs={String.class}, tree="[0]") private Output attributeName; /** - * @return OIDC Claim + * @return The name of the IDP attribute to set. * */ public Output> attributeName() { return Codegen.optional(this.attributeName); } /** - * User Attribute + * The value to set to the attribute. You can hardcode any value like 'foo'. * */ @Export(name="attributeValue", refs={String.class}, tree="[0]") private Output attributeValue; /** - * @return User Attribute + * @return The value to set to the attribute. You can hardcode any value like 'foo'. * */ public Output> attributeValue() { @@ -54,56 +113,56 @@ public Output>> extraConfig() { return Codegen.optional(this.extraConfig); } /** - * IDP Alias + * The IDP alias of the attribute to set. * */ @Export(name="identityProviderAlias", refs={String.class}, tree="[0]") private Output identityProviderAlias; /** - * @return IDP Alias + * @return The IDP alias of the attribute to set. * */ public Output identityProviderAlias() { return this.identityProviderAlias; } /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return IDP Mapper Name + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } /** - * Realm Name + * The realm ID that this mapper will exist in. * */ @Export(name="realm", refs={String.class}, tree="[0]") private Output realm; /** - * @return Realm Name + * @return The realm ID that this mapper will exist in. * */ public Output realm() { return this.realm; } /** - * Is Attribute Related To a User Session + * Is Attribute related to a User Session. * */ @Export(name="userSession", refs={Boolean.class}, tree="[0]") private Output userSession; /** - * @return Is Attribute Related To a User Session + * @return Is Attribute related to a User Session. * */ public Output userSession() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapperArgs.java index f55fa1be..ab52263f 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedAttributeIdentityProviderMapperArgs.java @@ -19,14 +19,14 @@ public final class HardcodedAttributeIdentityProviderMapperArgs extends com.pulu public static final HardcodedAttributeIdentityProviderMapperArgs Empty = new HardcodedAttributeIdentityProviderMapperArgs(); /** - * OIDC Claim + * The name of the IDP attribute to set. * */ @Import(name="attributeName") private @Nullable Output attributeName; /** - * @return OIDC Claim + * @return The name of the IDP attribute to set. * */ public Optional> attributeName() { @@ -34,14 +34,14 @@ public Optional> attributeName() { } /** - * User Attribute + * The value to set to the attribute. You can hardcode any value like 'foo'. * */ @Import(name="attributeValue") private @Nullable Output attributeValue; /** - * @return User Attribute + * @return The value to set to the attribute. You can hardcode any value like 'foo'. * */ public Optional> attributeValue() { @@ -56,14 +56,14 @@ public Optional>> extraConfig() { } /** - * IDP Alias + * The IDP alias of the attribute to set. * */ @Import(name="identityProviderAlias", required=true) private Output identityProviderAlias; /** - * @return IDP Alias + * @return The IDP alias of the attribute to set. * */ public Output identityProviderAlias() { @@ -71,14 +71,14 @@ public Output identityProviderAlias() { } /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -86,14 +86,14 @@ public Optional> name() { } /** - * Realm Name + * The realm ID that this mapper will exist in. * */ @Import(name="realm", required=true) private Output realm; /** - * @return Realm Name + * @return The realm ID that this mapper will exist in. * */ public Output realm() { @@ -101,14 +101,14 @@ public Output realm() { } /** - * Is Attribute Related To a User Session + * Is Attribute related to a User Session. * */ @Import(name="userSession", required=true) private Output userSession; /** - * @return Is Attribute Related To a User Session + * @return Is Attribute related to a User Session. * */ public Output userSession() { @@ -146,7 +146,7 @@ public Builder(HardcodedAttributeIdentityProviderMapperArgs defaults) { } /** - * @param attributeName OIDC Claim + * @param attributeName The name of the IDP attribute to set. * * @return builder * @@ -157,7 +157,7 @@ public Builder attributeName(@Nullable Output attributeName) { } /** - * @param attributeName OIDC Claim + * @param attributeName The name of the IDP attribute to set. * * @return builder * @@ -167,7 +167,7 @@ public Builder attributeName(String attributeName) { } /** - * @param attributeValue User Attribute + * @param attributeValue The value to set to the attribute. You can hardcode any value like 'foo'. * * @return builder * @@ -178,7 +178,7 @@ public Builder attributeValue(@Nullable Output attributeValue) { } /** - * @param attributeValue User Attribute + * @param attributeValue The value to set to the attribute. You can hardcode any value like 'foo'. * * @return builder * @@ -197,7 +197,7 @@ public Builder extraConfig(Map extraConfig) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -208,7 +208,7 @@ public Builder identityProviderAlias(Output identityProviderAlias) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -218,7 +218,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -229,7 +229,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -239,7 +239,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -250,7 +250,7 @@ public Builder realm(Output realm) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -260,7 +260,7 @@ public Builder realm(String realm) { } /** - * @param userSession Is Attribute Related To a User Session + * @param userSession Is Attribute related to a User Session. * * @return builder * @@ -271,7 +271,7 @@ public Builder userSession(Output userSession) { } /** - * @param userSession Is Attribute Related To a User Session + * @param userSession Is Attribute related to a User Session. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapper.java index 71f4c4f8..c8214c4f 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapper.java @@ -16,6 +16,70 @@ import java.util.Optional; import javax.annotation.Nullable; +/** + * Allows for creating and managing hardcoded role mappers for Keycloak identity provider. + * + * The identity provider hardcoded role mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider. + * + * ## Example Usage + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.oidc.IdentityProvider; + * import com.pulumi.keycloak.oidc.IdentityProviderArgs; + * import com.pulumi.keycloak.Role; + * import com.pulumi.keycloak.RoleArgs; + * import com.pulumi.keycloak.HardcodedRoleIdentityMapper; + * import com.pulumi.keycloak.HardcodedRoleIdentityMapperArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .enabled(true) + * .build()); + * + * var oidcIdentityProvider = new IdentityProvider("oidcIdentityProvider", IdentityProviderArgs.builder() + * .realm(realm.id()) + * .alias("my-idp") + * .authorizationUrl("https://authorizationurl.com") + * .clientId("clientID") + * .clientSecret("clientSecret") + * .tokenUrl("https://tokenurl.com") + * .build()); + * + * var realmRole = new Role("realmRole", RoleArgs.builder() + * .realmId(realm.id()) + * .description("My Realm Role") + * .build()); + * + * var oidcHardcodedRoleIdentityMapper = new HardcodedRoleIdentityMapper("oidcHardcodedRoleIdentityMapper", HardcodedRoleIdentityMapperArgs.builder() + * .realm(realm.id()) + * .identityProviderAlias(oidcIdentityProvider.alias()) + * .role("my-realm-role") + * .extraConfig(Map.of("syncMode", "INHERIT")) + * .build()); + * + * } + * } + * ``` + * + */ @ResourceType(type="keycloak:index/hardcodedRoleIdentityMapper:HardcodedRoleIdentityMapper") public class HardcodedRoleIdentityMapper extends com.pulumi.resources.CustomResource { @Export(name="extraConfig", refs={Map.class,String.class,Object.class}, tree="[0,1,2]") @@ -25,56 +89,56 @@ public Output>> extraConfig() { return Codegen.optional(this.extraConfig); } /** - * IDP Alias + * The IDP alias of the attribute to set. * */ @Export(name="identityProviderAlias", refs={String.class}, tree="[0]") private Output identityProviderAlias; /** - * @return IDP Alias + * @return The IDP alias of the attribute to set. * */ public Output identityProviderAlias() { return this.identityProviderAlias; } /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return IDP Mapper Name + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } /** - * Realm Name + * The realm ID that this mapper will exist in. * */ @Export(name="realm", refs={String.class}, tree="[0]") private Output realm; /** - * @return Realm Name + * @return The realm ID that this mapper will exist in. * */ public Output realm() { return this.realm; } /** - * Role Name + * The name of the role which should be assigned to the users. * */ @Export(name="role", refs={String.class}, tree="[0]") private Output role; /** - * @return Role Name + * @return The name of the role which should be assigned to the users. * */ public Output> role() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapperArgs.java index 3f16fda7..8eae1fa2 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/HardcodedRoleIdentityMapperArgs.java @@ -25,14 +25,14 @@ public Optional>> extraConfig() { } /** - * IDP Alias + * The IDP alias of the attribute to set. * */ @Import(name="identityProviderAlias", required=true) private Output identityProviderAlias; /** - * @return IDP Alias + * @return The IDP alias of the attribute to set. * */ public Output identityProviderAlias() { @@ -40,14 +40,14 @@ public Output identityProviderAlias() { } /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -55,14 +55,14 @@ public Optional> name() { } /** - * Realm Name + * The realm ID that this mapper will exist in. * */ @Import(name="realm", required=true) private Output realm; /** - * @return Realm Name + * @return The realm ID that this mapper will exist in. * */ public Output realm() { @@ -70,14 +70,14 @@ public Output realm() { } /** - * Role Name + * The name of the role which should be assigned to the users. * */ @Import(name="role") private @Nullable Output role; /** - * @return Role Name + * @return The name of the role which should be assigned to the users. * */ public Optional> role() { @@ -122,7 +122,7 @@ public Builder extraConfig(Map extraConfig) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -133,7 +133,7 @@ public Builder identityProviderAlias(Output identityProviderAlias) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -143,7 +143,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -154,7 +154,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -164,7 +164,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -175,7 +175,7 @@ public Builder realm(Output realm) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -185,7 +185,7 @@ public Builder realm(String realm) { } /** - * @param role Role Name + * @param role The name of the role which should be assigned to the users. * * @return builder * @@ -196,7 +196,7 @@ public Builder role(@Nullable Output role) { } /** - * @param role Role Name + * @param role The name of the role which should be assigned to the users. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/UsersPermissions.java b/sdk/java/src/main/java/com/pulumi/keycloak/UsersPermissions.java index 63b31f28..9e160e05 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/UsersPermissions.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/UsersPermissions.java @@ -21,6 +21,146 @@ import java.util.Optional; import javax.annotation.Nullable; +/** + * ## Example Usage + * + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.openid.OpenidFunctions; + * import com.pulumi.keycloak.openid.inputs.GetClientArgs; + * import com.pulumi.keycloak.openid.ClientPermissions; + * import com.pulumi.keycloak.openid.ClientPermissionsArgs; + * import com.pulumi.keycloak.User; + * import com.pulumi.keycloak.UserArgs; + * import com.pulumi.keycloak.openid.ClientUserPolicy; + * import com.pulumi.keycloak.openid.ClientUserPolicyArgs; + * import com.pulumi.keycloak.UsersPermissions; + * import com.pulumi.keycloak.UsersPermissionsArgs; + * import com.pulumi.keycloak.inputs.UsersPermissionsViewScopeArgs; + * import com.pulumi.keycloak.inputs.UsersPermissionsManageScopeArgs; + * import com.pulumi.keycloak.inputs.UsersPermissionsMapRolesScopeArgs; + * import com.pulumi.keycloak.inputs.UsersPermissionsManageGroupMembershipScopeArgs; + * import com.pulumi.keycloak.inputs.UsersPermissionsImpersonateScopeArgs; + * import com.pulumi.keycloak.inputs.UsersPermissionsUserImpersonatedScopeArgs; + * import com.pulumi.resources.CustomResourceOptions; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .build()); + * + * final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder() + * .realmId(realm.id()) + * .clientId("realm-management") + * .build()); + * + * var realmManagementPermission = new ClientPermissions("realmManagementPermission", ClientPermissionsArgs.builder() + * .realmId(realm.id()) + * .clientId(realmManagement.applyValue(getClientResult -> getClientResult).applyValue(realmManagement -> realmManagement.applyValue(getClientResult -> getClientResult.id()))) + * .enabled(true) + * .build()); + * + * var testUser = new User("testUser", UserArgs.builder() + * .realmId(realm.id()) + * .username("test-user") + * .email("test-user@fakedomain.com") + * .firstName("Testy") + * .lastName("Tester") + * .build()); + * + * var testClientUserPolicy = new ClientUserPolicy("testClientUserPolicy", ClientUserPolicyArgs.builder() + * .realmId(realm.id()) + * .resourceServerId(realmManagement.applyValue(getClientResult -> getClientResult).applyValue(realmManagement -> realmManagement.applyValue(getClientResult -> getClientResult.id()))) + * .users(testUser.id()) + * .logic("POSITIVE") + * .decisionStrategy("UNANIMOUS") + * .build(), CustomResourceOptions.builder() + * .dependsOn(realmManagementPermission) + * .build()); + * + * var usersPermissions = new UsersPermissions("usersPermissions", UsersPermissionsArgs.builder() + * .realmId(realm.id()) + * .viewScope(UsersPermissionsViewScopeArgs.builder() + * .policies(testClientUserPolicy.id()) + * .description("description") + * .decisionStrategy("UNANIMOUS") + * .build()) + * .manageScope(UsersPermissionsManageScopeArgs.builder() + * .policies(testClientUserPolicy.id()) + * .description("description") + * .decisionStrategy("UNANIMOUS") + * .build()) + * .mapRolesScope(UsersPermissionsMapRolesScopeArgs.builder() + * .policies(testClientUserPolicy.id()) + * .description("description") + * .decisionStrategy("UNANIMOUS") + * .build()) + * .manageGroupMembershipScope(UsersPermissionsManageGroupMembershipScopeArgs.builder() + * .policies(testClientUserPolicy.id()) + * .description("description") + * .decisionStrategy("UNANIMOUS") + * .build()) + * .impersonateScope(UsersPermissionsImpersonateScopeArgs.builder() + * .policies(testClientUserPolicy.id()) + * .description("description") + * .decisionStrategy("UNANIMOUS") + * .build()) + * .userImpersonatedScope(UsersPermissionsUserImpersonatedScopeArgs.builder() + * .policies(testClientUserPolicy.id()) + * .description("description") + * .decisionStrategy("UNANIMOUS") + * .build()) + * .build()); + * + * } + * } + * ``` + * ### Argument Reference + * + * The following arguments are supported: + * + * - `realm_id` - (Required) The realm in which to manage fine-grained user permissions. + * + * Each of the scopes that can be managed are defined below: + * + * - `view_scope` - (Optional) When specified, set the scope based view permission. + * - `manage_scope` - (Optional) When specified, set the scope based manage permission. + * - `map_roles_scope` - (Optional) When specified, set the scope based map_roles permission. + * - `manage_group_membership_scope` - (Optional) When specified, set the scope based manage_group_membership permission. + * - `impersonate_scope` - (Optional) When specified, set the scope based impersonate permission. + * - `user_impersonated_scope` - (Optional) When specified, set the scope based user_impersonated permission. + * + * The configuration block for each of these scopes supports the following arguments: + * + * - `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. + * - `description` - (Optional) Description of the permission. + * - `decision_strategy` - (Optional) Decision strategy of the permission. + * + * ### Attributes Reference + * + * In addition to the arguments listed above, the following computed attributes are exported: + * + * - `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`. + * - `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed. + * + */ @ResourceType(type="keycloak:index/usersPermissions:UsersPermissions") public class UsersPermissions extends com.pulumi.resources.CustomResource { /** diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeToRoleIdentityMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeToRoleIdentityMapperState.java index fbb96b1d..4e074c0b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeToRoleIdentityMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/AttributeToRoleIdentityMapperState.java @@ -18,14 +18,14 @@ public final class AttributeToRoleIdentityMapperState extends com.pulumi.resourc public static final AttributeToRoleIdentityMapperState Empty = new AttributeToRoleIdentityMapperState(); /** - * Attribute Friendly Name + * Attribute Friendly Name. Conflicts with `attribute_name`. * */ @Import(name="attributeFriendlyName") private @Nullable Output attributeFriendlyName; /** - * @return Attribute Friendly Name + * @return Attribute Friendly Name. Conflicts with `attribute_name`. * */ public Optional> attributeFriendlyName() { @@ -33,14 +33,14 @@ public Optional> attributeFriendlyName() { } /** - * Attribute Name + * Attribute Name. * */ @Import(name="attributeName") private @Nullable Output attributeName; /** - * @return Attribute Name + * @return Attribute Name. * */ public Optional> attributeName() { @@ -48,14 +48,14 @@ public Optional> attributeName() { } /** - * Attribute Value + * Attribute Value. * */ @Import(name="attributeValue") private @Nullable Output attributeValue; /** - * @return Attribute Value + * @return Attribute Value. * */ public Optional> attributeValue() { @@ -92,22 +92,30 @@ public Optional> claimValue() { return Optional.ofNullable(this.claimValue); } + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ @Import(name="extraConfig") private @Nullable Output> extraConfig; + /** + * @return Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + */ public Optional>> extraConfig() { return Optional.ofNullable(this.extraConfig); } /** - * IDP Alias + * The alias of the associated identity provider. * */ @Import(name="identityProviderAlias") private @Nullable Output identityProviderAlias; /** - * @return IDP Alias + * @return The alias of the associated identity provider. * */ public Optional> identityProviderAlias() { @@ -115,14 +123,14 @@ public Optional> identityProviderAlias() { } /** - * IDP Mapper Name + * The name of the mapper. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return The name of the mapper. * */ public Optional> name() { @@ -130,14 +138,14 @@ public Optional> name() { } /** - * Realm Name + * The name of the realm. * */ @Import(name="realm") private @Nullable Output realm; /** - * @return Realm Name + * @return The name of the realm. * */ public Optional> realm() { @@ -145,14 +153,14 @@ public Optional> realm() { } /** - * Role Name + * Role Name. * */ @Import(name="role") private @Nullable Output role; /** - * @return Role Name + * @return Role Name. * */ public Optional> role() { @@ -193,7 +201,7 @@ public Builder(AttributeToRoleIdentityMapperState defaults) { } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName Attribute Friendly Name. Conflicts with `attribute_name`. * * @return builder * @@ -204,7 +212,7 @@ public Builder attributeFriendlyName(@Nullable Output attributeFriendlyN } /** - * @param attributeFriendlyName Attribute Friendly Name + * @param attributeFriendlyName Attribute Friendly Name. Conflicts with `attribute_name`. * * @return builder * @@ -214,7 +222,7 @@ public Builder attributeFriendlyName(String attributeFriendlyName) { } /** - * @param attributeName Attribute Name + * @param attributeName Attribute Name. * * @return builder * @@ -225,7 +233,7 @@ public Builder attributeName(@Nullable Output attributeName) { } /** - * @param attributeName Attribute Name + * @param attributeName Attribute Name. * * @return builder * @@ -235,7 +243,7 @@ public Builder attributeName(String attributeName) { } /** - * @param attributeValue Attribute Value + * @param attributeValue Attribute Value. * * @return builder * @@ -246,7 +254,7 @@ public Builder attributeValue(@Nullable Output attributeValue) { } /** - * @param attributeValue Attribute Value + * @param attributeValue Attribute Value. * * @return builder * @@ -297,17 +305,29 @@ public Builder claimValue(String claimValue) { return claimValue(Output.of(claimValue)); } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(@Nullable Output> extraConfig) { $.extraConfig = extraConfig; return this; } + /** + * @param extraConfig Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + * + * @return builder + * + */ public Builder extraConfig(Map extraConfig) { return extraConfig(Output.of(extraConfig)); } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -318,7 +338,7 @@ public Builder identityProviderAlias(@Nullable Output identityProviderAl } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The alias of the associated identity provider. * * @return builder * @@ -328,7 +348,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -339,7 +359,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name The name of the mapper. * * @return builder * @@ -349,7 +369,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -360,7 +380,7 @@ public Builder realm(@Nullable Output realm) { } /** - * @param realm Realm Name + * @param realm The name of the realm. * * @return builder * @@ -370,7 +390,7 @@ public Builder realm(String realm) { } /** - * @param role Role Name + * @param role Role Name. * * @return builder * @@ -381,7 +401,7 @@ public Builder role(@Nullable Output role) { } /** - * @param role Role Name + * @param role Role Name. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedAttributeIdentityProviderMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedAttributeIdentityProviderMapperState.java index 70485a23..c9719e64 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedAttributeIdentityProviderMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedAttributeIdentityProviderMapperState.java @@ -19,14 +19,14 @@ public final class HardcodedAttributeIdentityProviderMapperState extends com.pul public static final HardcodedAttributeIdentityProviderMapperState Empty = new HardcodedAttributeIdentityProviderMapperState(); /** - * OIDC Claim + * The name of the IDP attribute to set. * */ @Import(name="attributeName") private @Nullable Output attributeName; /** - * @return OIDC Claim + * @return The name of the IDP attribute to set. * */ public Optional> attributeName() { @@ -34,14 +34,14 @@ public Optional> attributeName() { } /** - * User Attribute + * The value to set to the attribute. You can hardcode any value like 'foo'. * */ @Import(name="attributeValue") private @Nullable Output attributeValue; /** - * @return User Attribute + * @return The value to set to the attribute. You can hardcode any value like 'foo'. * */ public Optional> attributeValue() { @@ -56,14 +56,14 @@ public Optional>> extraConfig() { } /** - * IDP Alias + * The IDP alias of the attribute to set. * */ @Import(name="identityProviderAlias") private @Nullable Output identityProviderAlias; /** - * @return IDP Alias + * @return The IDP alias of the attribute to set. * */ public Optional> identityProviderAlias() { @@ -71,14 +71,14 @@ public Optional> identityProviderAlias() { } /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -86,14 +86,14 @@ public Optional> name() { } /** - * Realm Name + * The realm ID that this mapper will exist in. * */ @Import(name="realm") private @Nullable Output realm; /** - * @return Realm Name + * @return The realm ID that this mapper will exist in. * */ public Optional> realm() { @@ -101,14 +101,14 @@ public Optional> realm() { } /** - * Is Attribute Related To a User Session + * Is Attribute related to a User Session. * */ @Import(name="userSession") private @Nullable Output userSession; /** - * @return Is Attribute Related To a User Session + * @return Is Attribute related to a User Session. * */ public Optional> userSession() { @@ -146,7 +146,7 @@ public Builder(HardcodedAttributeIdentityProviderMapperState defaults) { } /** - * @param attributeName OIDC Claim + * @param attributeName The name of the IDP attribute to set. * * @return builder * @@ -157,7 +157,7 @@ public Builder attributeName(@Nullable Output attributeName) { } /** - * @param attributeName OIDC Claim + * @param attributeName The name of the IDP attribute to set. * * @return builder * @@ -167,7 +167,7 @@ public Builder attributeName(String attributeName) { } /** - * @param attributeValue User Attribute + * @param attributeValue The value to set to the attribute. You can hardcode any value like 'foo'. * * @return builder * @@ -178,7 +178,7 @@ public Builder attributeValue(@Nullable Output attributeValue) { } /** - * @param attributeValue User Attribute + * @param attributeValue The value to set to the attribute. You can hardcode any value like 'foo'. * * @return builder * @@ -197,7 +197,7 @@ public Builder extraConfig(Map extraConfig) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -208,7 +208,7 @@ public Builder identityProviderAlias(@Nullable Output identityProviderAl } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -218,7 +218,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -229,7 +229,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -239,7 +239,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -250,7 +250,7 @@ public Builder realm(@Nullable Output realm) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -260,7 +260,7 @@ public Builder realm(String realm) { } /** - * @param userSession Is Attribute Related To a User Session + * @param userSession Is Attribute related to a User Session. * * @return builder * @@ -271,7 +271,7 @@ public Builder userSession(@Nullable Output userSession) { } /** - * @param userSession Is Attribute Related To a User Session + * @param userSession Is Attribute related to a User Session. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedRoleIdentityMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedRoleIdentityMapperState.java index 0f9c86b2..21241cbb 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedRoleIdentityMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/inputs/HardcodedRoleIdentityMapperState.java @@ -25,14 +25,14 @@ public Optional>> extraConfig() { } /** - * IDP Alias + * The IDP alias of the attribute to set. * */ @Import(name="identityProviderAlias") private @Nullable Output identityProviderAlias; /** - * @return IDP Alias + * @return The IDP alias of the attribute to set. * */ public Optional> identityProviderAlias() { @@ -40,14 +40,14 @@ public Optional> identityProviderAlias() { } /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return IDP Mapper Name + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -55,14 +55,14 @@ public Optional> name() { } /** - * Realm Name + * The realm ID that this mapper will exist in. * */ @Import(name="realm") private @Nullable Output realm; /** - * @return Realm Name + * @return The realm ID that this mapper will exist in. * */ public Optional> realm() { @@ -70,14 +70,14 @@ public Optional> realm() { } /** - * Role Name + * The name of the role which should be assigned to the users. * */ @Import(name="role") private @Nullable Output role; /** - * @return Role Name + * @return The name of the role which should be assigned to the users. * */ public Optional> role() { @@ -122,7 +122,7 @@ public Builder extraConfig(Map extraConfig) { } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -133,7 +133,7 @@ public Builder identityProviderAlias(@Nullable Output identityProviderAl } /** - * @param identityProviderAlias IDP Alias + * @param identityProviderAlias The IDP alias of the attribute to set. * * @return builder * @@ -143,7 +143,7 @@ public Builder identityProviderAlias(String identityProviderAlias) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -154,7 +154,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name IDP Mapper Name + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -164,7 +164,7 @@ public Builder name(String name) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -175,7 +175,7 @@ public Builder realm(@Nullable Output realm) { } /** - * @param realm Realm Name + * @param realm The realm ID that this mapper will exist in. * * @return builder * @@ -185,7 +185,7 @@ public Builder realm(String realm) { } /** - * @param role Role Name + * @param role The name of the role which should be assigned to the users. * * @return builder * @@ -196,7 +196,7 @@ public Builder role(@Nullable Output role) { } /** - * @param role Role Name + * @param role The name of the role which should be assigned to the users. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapper.java index 5cf7cec1..e7f89796 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapper.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapper.java @@ -13,59 +13,134 @@ import java.lang.String; import javax.annotation.Nullable; +/** + * Allows for creating and managing hardcoded group mappers for Keycloak users federated via LDAP. + * + * The LDAP hardcoded group mapper will grant a specified Keycloak group to each Keycloak user linked with LDAP. + * + * ## Example Usage + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.ldap.UserFederation; + * import com.pulumi.keycloak.ldap.UserFederationArgs; + * import com.pulumi.keycloak.Group; + * import com.pulumi.keycloak.GroupArgs; + * import com.pulumi.keycloak.ldap.HardcodedGroupMapper; + * import com.pulumi.keycloak.ldap.HardcodedGroupMapperArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .enabled(true) + * .build()); + * + * var ldapUserFederation = new UserFederation("ldapUserFederation", UserFederationArgs.builder() + * .realmId(realm.id()) + * .usernameLdapAttribute("cn") + * .rdnLdapAttribute("cn") + * .uuidLdapAttribute("entryDN") + * .userObjectClasses( + * "simpleSecurityObject", + * "organizationalRole") + * .connectionUrl("ldap://openldap") + * .usersDn("dc=example,dc=org") + * .bindDn("cn=admin,dc=example,dc=org") + * .bindCredential("admin") + * .build()); + * + * var realmGroup = new Group("realmGroup", GroupArgs.builder() + * .realmId(realm.id()) + * .build()); + * + * var assignGroupToUsers = new HardcodedGroupMapper("assignGroupToUsers", HardcodedGroupMapperArgs.builder() + * .realmId(realm.id()) + * .ldapUserFederationId(ldapUserFederation.id()) + * .group(realmGroup.name()) + * .build()); + * + * } + * } + * ``` + * + * ## Import + * + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash + * + * ```sh + * $ pulumi import keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper assign_group_to_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` + * + */ @ResourceType(type="keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper") public class HardcodedGroupMapper extends com.pulumi.resources.CustomResource { /** - * Group to grant to user. + * The name of the group which should be assigned to the users. * */ @Export(name="group", refs={String.class}, tree="[0]") private Output group; /** - * @return Group to grant to user. + * @return The name of the group which should be assigned to the users. * */ public Output group() { return this.group; } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Export(name="ldapUserFederationId", refs={String.class}, tree="[0]") private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { return this.ldapUserFederationId; } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Output name() { return this.name; } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapperArgs.java index 91cd40ba..4295c4e0 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapperArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/HardcodedGroupMapperArgs.java @@ -16,14 +16,14 @@ public final class HardcodedGroupMapperArgs extends com.pulumi.resources.Resourc public static final HardcodedGroupMapperArgs Empty = new HardcodedGroupMapperArgs(); /** - * Group to grant to user. + * The name of the group which should be assigned to the users. * */ @Import(name="group", required=true) private Output group; /** - * @return Group to grant to user. + * @return The name of the group which should be assigned to the users. * */ public Output group() { @@ -31,14 +31,14 @@ public Output group() { } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId", required=true) private Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Output ldapUserFederationId() { @@ -46,14 +46,14 @@ public Output ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -61,14 +61,14 @@ public Optional> name() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Output realmId() { @@ -103,7 +103,7 @@ public Builder(HardcodedGroupMapperArgs defaults) { } /** - * @param group Group to grant to user. + * @param group The name of the group which should be assigned to the users. * * @return builder * @@ -114,7 +114,7 @@ public Builder group(Output group) { } /** - * @param group Group to grant to user. + * @param group The name of the group which should be assigned to the users. * * @return builder * @@ -124,7 +124,7 @@ public Builder group(String group) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -135,7 +135,7 @@ public Builder ldapUserFederationId(Output ldapUserFederationId) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -145,7 +145,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -156,7 +156,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -166,7 +166,7 @@ public Builder name(String name) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -177,7 +177,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedGroupMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedGroupMapperState.java index bc9bf42c..e9a23b8d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedGroupMapperState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/ldap/inputs/HardcodedGroupMapperState.java @@ -16,14 +16,14 @@ public final class HardcodedGroupMapperState extends com.pulumi.resources.Resour public static final HardcodedGroupMapperState Empty = new HardcodedGroupMapperState(); /** - * Group to grant to user. + * The name of the group which should be assigned to the users. * */ @Import(name="group") private @Nullable Output group; /** - * @return Group to grant to user. + * @return The name of the group which should be assigned to the users. * */ public Optional> group() { @@ -31,14 +31,14 @@ public Optional> group() { } /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. * */ @Import(name="ldapUserFederationId") private @Nullable Output ldapUserFederationId; /** - * @return The ldap user federation provider to attach this mapper to. + * @return The ID of the LDAP user federation provider to attach this mapper to. * */ public Optional> ldapUserFederationId() { @@ -46,14 +46,14 @@ public Optional> ldapUserFederationId() { } /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. * */ @Import(name="name") private @Nullable Output name; /** - * @return Display name of the mapper when displayed in the console. + * @return Display name of this mapper when displayed in the console. * */ public Optional> name() { @@ -61,14 +61,14 @@ public Optional> name() { } /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm in which the ldap user federation provider exists. + * @return The realm that this LDAP mapper will exist in. * */ public Optional> realmId() { @@ -103,7 +103,7 @@ public Builder(HardcodedGroupMapperState defaults) { } /** - * @param group Group to grant to user. + * @param group The name of the group which should be assigned to the users. * * @return builder * @@ -114,7 +114,7 @@ public Builder group(@Nullable Output group) { } /** - * @param group Group to grant to user. + * @param group The name of the group which should be assigned to the users. * * @return builder * @@ -124,7 +124,7 @@ public Builder group(String group) { } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -135,7 +135,7 @@ public Builder ldapUserFederationId(@Nullable Output ldapUserFederationI } /** - * @param ldapUserFederationId The ldap user federation provider to attach this mapper to. + * @param ldapUserFederationId The ID of the LDAP user federation provider to attach this mapper to. * * @return builder * @@ -145,7 +145,7 @@ public Builder ldapUserFederationId(String ldapUserFederationId) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -156,7 +156,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name Display name of the mapper when displayed in the console. + * @param name Display name of this mapper when displayed in the console. * * @return builder * @@ -166,7 +166,7 @@ public Builder name(String name) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * @@ -177,7 +177,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm in which the ldap user federation provider exists. + * @param realmId The realm that this LDAP mapper will exist in. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapper.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapper.java new file mode 100644 index 00000000..d93ac1f2 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapper.java @@ -0,0 +1,241 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.keycloak.openid; + +import com.pulumi.core.Alias; +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Export; +import com.pulumi.core.annotations.ResourceType; +import com.pulumi.core.internal.Codegen; +import com.pulumi.keycloak.Utilities; +import com.pulumi.keycloak.openid.AudienceResolveProtocolMapperArgs; +import com.pulumi.keycloak.openid.inputs.AudienceResolveProtocolMapperState; +import java.lang.String; +import java.util.List; +import java.util.Optional; +import javax.annotation.Nullable; + +/** + * Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. + * + * This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles + * to imply which audiences are appropriate for the token. See the + * [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. + * + * ## Example Usage + * ### Client) + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.openid.Client; + * import com.pulumi.keycloak.openid.ClientArgs; + * import com.pulumi.keycloak.openid.AudienceResolveProtocolMapper; + * import com.pulumi.keycloak.openid.AudienceResolveProtocolMapperArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .enabled(true) + * .build()); + * + * var openidClient = new Client("openidClient", ClientArgs.builder() + * .realmId(realm.id()) + * .clientId("client") + * .enabled(true) + * .accessType("CONFIDENTIAL") + * .validRedirectUris("http://localhost:8080/openid-callback") + * .build()); + * + * var audienceMapper = new AudienceResolveProtocolMapper("audienceMapper", AudienceResolveProtocolMapperArgs.builder() + * .realmId(realm.id()) + * .clientId(openidClient.id()) + * .build()); + * + * } + * } + * ``` + * ### Client Scope) + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.openid.ClientScope; + * import com.pulumi.keycloak.openid.ClientScopeArgs; + * import com.pulumi.keycloak.openid.AudienceProtocolMapper; + * import com.pulumi.keycloak.openid.AudienceProtocolMapperArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .enabled(true) + * .build()); + * + * var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder() + * .realmId(realm.id()) + * .build()); + * + * var audienceMapper = new AudienceProtocolMapper("audienceMapper", AudienceProtocolMapperArgs.builder() + * .realmId(realm.id()) + * .clientScopeId(clientScope.id()) + * .build()); + * + * } + * } + * ``` + * + * ## Import + * + * Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash + * + * ```sh + * $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + */ +@ResourceType(type="keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper") +public class AudienceResolveProtocolMapper extends com.pulumi.resources.CustomResource { + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + @Export(name="clientId", refs={String.class}, tree="[0]") + private Output clientId; + + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + public Output> clientId() { + return Codegen.optional(this.clientId); + } + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + @Export(name="clientScopeId", refs={String.class}, tree="[0]") + private Output clientScopeId; + + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + public Output> clientScopeId() { + return Codegen.optional(this.clientScopeId); + } + /** + * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + */ + @Export(name="name", refs={String.class}, tree="[0]") + private Output name; + + /** + * @return The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + */ + public Output name() { + return this.name; + } + /** + * The realm this protocol mapper exists within. + * + */ + @Export(name="realmId", refs={String.class}, tree="[0]") + private Output realmId; + + /** + * @return The realm this protocol mapper exists within. + * + */ + public Output realmId() { + return this.realmId; + } + + /** + * + * @param name The _unique_ name of the resulting resource. + */ + public AudienceResolveProtocolMapper(String name) { + this(name, AudienceResolveProtocolMapperArgs.Empty); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + */ + public AudienceResolveProtocolMapper(String name, AudienceResolveProtocolMapperArgs args) { + this(name, args, null); + } + /** + * + * @param name The _unique_ name of the resulting resource. + * @param args The arguments to use to populate this resource's properties. + * @param options A bag of options that control this resource's behavior. + */ + public AudienceResolveProtocolMapper(String name, AudienceResolveProtocolMapperArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper", name, args == null ? AudienceResolveProtocolMapperArgs.Empty : args, makeResourceOptions(options, Codegen.empty())); + } + + private AudienceResolveProtocolMapper(String name, Output id, @Nullable AudienceResolveProtocolMapperState state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + super("keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper", name, state, makeResourceOptions(options, id)); + } + + private static com.pulumi.resources.CustomResourceOptions makeResourceOptions(@Nullable com.pulumi.resources.CustomResourceOptions options, @Nullable Output id) { + var defaultOptions = com.pulumi.resources.CustomResourceOptions.builder() + .version(Utilities.getVersion()) + .aliases(List.of( + Output.of(Alias.builder().type("keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter").build()) + )) + .build(); + return com.pulumi.resources.CustomResourceOptions.merge(defaultOptions, options, id); + } + + /** + * Get an existing Host resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state + * @param options Optional settings to control the behavior of the CustomResource. + */ + public static AudienceResolveProtocolMapper get(String name, Output id, @Nullable AudienceResolveProtocolMapperState state, @Nullable com.pulumi.resources.CustomResourceOptions options) { + return new AudienceResolveProtocolMapper(name, id, state, options); + } +} diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapperArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapperArgs.java new file mode 100644 index 00000000..d6a1c01e --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMapperArgs.java @@ -0,0 +1,195 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.keycloak.openid; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import java.lang.String; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class AudienceResolveProtocolMapperArgs extends com.pulumi.resources.ResourceArgs { + + public static final AudienceResolveProtocolMapperArgs Empty = new AudienceResolveProtocolMapperArgs(); + + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + @Import(name="clientId") + private @Nullable Output clientId; + + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + public Optional> clientId() { + return Optional.ofNullable(this.clientId); + } + + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + @Import(name="clientScopeId") + private @Nullable Output clientScopeId; + + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + public Optional> clientScopeId() { + return Optional.ofNullable(this.clientScopeId); + } + + /** + * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + */ + @Import(name="name") + private @Nullable Output name; + + /** + * @return The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + */ + public Optional> name() { + return Optional.ofNullable(this.name); + } + + /** + * The realm this protocol mapper exists within. + * + */ + @Import(name="realmId", required=true) + private Output realmId; + + /** + * @return The realm this protocol mapper exists within. + * + */ + public Output realmId() { + return this.realmId; + } + + private AudienceResolveProtocolMapperArgs() {} + + private AudienceResolveProtocolMapperArgs(AudienceResolveProtocolMapperArgs $) { + this.clientId = $.clientId; + this.clientScopeId = $.clientScopeId; + this.name = $.name; + this.realmId = $.realmId; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(AudienceResolveProtocolMapperArgs defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private AudienceResolveProtocolMapperArgs $; + + public Builder() { + $ = new AudienceResolveProtocolMapperArgs(); + } + + public Builder(AudienceResolveProtocolMapperArgs defaults) { + $ = new AudienceResolveProtocolMapperArgs(Objects.requireNonNull(defaults)); + } + + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientId(@Nullable Output clientId) { + $.clientId = clientId; + return this; + } + + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientId(String clientId) { + return clientId(Output.of(clientId)); + } + + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientScopeId(@Nullable Output clientScopeId) { + $.clientScopeId = clientScopeId; + return this; + } + + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientScopeId(String clientScopeId) { + return clientScopeId(Output.of(clientScopeId)); + } + + /** + * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + * @return builder + * + */ + public Builder name(@Nullable Output name) { + $.name = name; + return this; + } + + /** + * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + * @return builder + * + */ + public Builder name(String name) { + return name(Output.of(name)); + } + + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ + public Builder realmId(Output realmId) { + $.realmId = realmId; + return this; + } + + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ + public Builder realmId(String realmId) { + return realmId(Output.of(realmId)); + } + + public AudienceResolveProtocolMapperArgs build() { + $.realmId = Objects.requireNonNull($.realmId, "expected parameter 'realmId' to be non-null"); + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappter.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappter.java index 69a862e2..f809cf84 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappter.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappter.java @@ -15,170 +15,64 @@ import javax.annotation.Nullable; /** - * Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. - * - * This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles - * to imply which audiences are appropriate for the token. See the - * [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. - * - * ## Example Usage - * ### Client) - * ```java - * package generated_program; - * - * import com.pulumi.Context; - * import com.pulumi.Pulumi; - * import com.pulumi.core.Output; - * import com.pulumi.keycloak.Realm; - * import com.pulumi.keycloak.RealmArgs; - * import com.pulumi.keycloak.openid.Client; - * import com.pulumi.keycloak.openid.ClientArgs; - * import com.pulumi.keycloak.openid.AudienceResolveProtocolMappter; - * import com.pulumi.keycloak.openid.AudienceResolveProtocolMappterArgs; - * import java.util.List; - * import java.util.ArrayList; - * import java.util.Map; - * import java.io.File; - * import java.nio.file.Files; - * import java.nio.file.Paths; - * - * public class App { - * public static void main(String[] args) { - * Pulumi.run(App::stack); - * } - * - * public static void stack(Context ctx) { - * var realm = new Realm("realm", RealmArgs.builder() - * .realm("my-realm") - * .enabled(true) - * .build()); - * - * var openidClient = new Client("openidClient", ClientArgs.builder() - * .realmId(realm.id()) - * .clientId("client") - * .enabled(true) - * .accessType("CONFIDENTIAL") - * .validRedirectUris("http://localhost:8080/openid-callback") - * .build()); - * - * var audienceMapper = new AudienceResolveProtocolMappter("audienceMapper", AudienceResolveProtocolMappterArgs.builder() - * .realmId(realm.id()) - * .clientId(openidClient.id()) - * .build()); - * - * } - * } - * ``` - * ### Client Scope) - * ```java - * package generated_program; - * - * import com.pulumi.Context; - * import com.pulumi.Pulumi; - * import com.pulumi.core.Output; - * import com.pulumi.keycloak.Realm; - * import com.pulumi.keycloak.RealmArgs; - * import com.pulumi.keycloak.openid.ClientScope; - * import com.pulumi.keycloak.openid.ClientScopeArgs; - * import com.pulumi.keycloak.openid.AudienceProtocolMapper; - * import com.pulumi.keycloak.openid.AudienceProtocolMapperArgs; - * import java.util.List; - * import java.util.ArrayList; - * import java.util.Map; - * import java.io.File; - * import java.nio.file.Files; - * import java.nio.file.Paths; - * - * public class App { - * public static void main(String[] args) { - * Pulumi.run(App::stack); - * } - * - * public static void stack(Context ctx) { - * var realm = new Realm("realm", RealmArgs.builder() - * .realm("my-realm") - * .enabled(true) - * .build()); - * - * var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder() - * .realmId(realm.id()) - * .build()); - * - * var audienceMapper = new AudienceProtocolMapper("audienceMapper", AudienceProtocolMapperArgs.builder() - * .realmId(realm.id()) - * .clientScopeId(clientScope.id()) - * .build()); - * - * } - * } - * ``` - * - * ## Import - * - * Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash - * - * ```sh - * $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - * ``` - * - * ```sh - * $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - * ``` + * @deprecated + * keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper * */ +@Deprecated /* keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper */ @ResourceType(type="keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter") public class AudienceResolveProtocolMappter extends com.pulumi.resources.CustomResource { /** - * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * The mapper's associated client. Cannot be used at the same time as client_scope_id. * */ @Export(name="clientId", refs={String.class}, tree="[0]") private Output clientId; /** - * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. * */ public Output> clientId() { return Codegen.optional(this.clientId); } /** - * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * The mapper's associated client scope. Cannot be used at the same time as client_id. * */ @Export(name="clientScopeId", refs={String.class}, tree="[0]") private Output clientScopeId; /** - * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * @return The mapper's associated client scope. Cannot be used at the same time as client_id. * */ public Output> clientScopeId() { return Codegen.optional(this.clientScopeId); } /** - * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * A human-friendly name that will appear in the Keycloak console. * */ @Export(name="name", refs={String.class}, tree="[0]") private Output name; /** - * @return The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * @return A human-friendly name that will appear in the Keycloak console. * */ public Output name() { return this.name; } /** - * The realm this protocol mapper exists within. + * The realm id where the associated client or client scope exists. * */ @Export(name="realmId", refs={String.class}, tree="[0]") private Output realmId; /** - * @return The realm this protocol mapper exists within. + * @return The realm id where the associated client or client scope exists. * */ public Output realmId() { diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappterArgs.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappterArgs.java index ad6ec702..31fd7b4d 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappterArgs.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/AudienceResolveProtocolMappterArgs.java @@ -16,14 +16,14 @@ public final class AudienceResolveProtocolMappterArgs extends com.pulumi.resourc public static final AudienceResolveProtocolMappterArgs Empty = new AudienceResolveProtocolMappterArgs(); /** - * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * The mapper's associated client. Cannot be used at the same time as client_scope_id. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. * */ public Optional> clientId() { @@ -31,14 +31,14 @@ public Optional> clientId() { } /** - * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * The mapper's associated client scope. Cannot be used at the same time as client_id. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * @return The mapper's associated client scope. Cannot be used at the same time as client_id. * */ public Optional> clientScopeId() { @@ -46,14 +46,14 @@ public Optional> clientScopeId() { } /** - * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * A human-friendly name that will appear in the Keycloak console. * */ @Import(name="name") private @Nullable Output name; /** - * @return The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * @return A human-friendly name that will appear in the Keycloak console. * */ public Optional> name() { @@ -61,14 +61,14 @@ public Optional> name() { } /** - * The realm this protocol mapper exists within. + * The realm id where the associated client or client scope exists. * */ @Import(name="realmId", required=true) private Output realmId; /** - * @return The realm this protocol mapper exists within. + * @return The realm id where the associated client or client scope exists. * */ public Output realmId() { @@ -103,7 +103,7 @@ public Builder(AudienceResolveProtocolMappterArgs defaults) { } /** - * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. * * @return builder * @@ -114,7 +114,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. * * @return builder * @@ -124,7 +124,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. * * @return builder * @@ -135,7 +135,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. * * @return builder * @@ -145,7 +145,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * @param name A human-friendly name that will appear in the Keycloak console. * * @return builder * @@ -156,7 +156,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * @param name A human-friendly name that will appear in the Keycloak console. * * @return builder * @@ -166,7 +166,7 @@ public Builder name(String name) { } /** - * @param realmId The realm this protocol mapper exists within. + * @param realmId The realm id where the associated client or client scope exists. * * @return builder * @@ -177,7 +177,7 @@ public Builder realmId(Output realmId) { } /** - * @param realmId The realm this protocol mapper exists within. + * @param realmId The realm id where the associated client or client scope exists. * * @return builder * diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientAuthorizationPermission.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientAuthorizationPermission.java index 8a79f813..42269f6b 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientAuthorizationPermission.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientAuthorizationPermission.java @@ -15,6 +15,117 @@ import java.util.Optional; import javax.annotation.Nullable; +/** + * ## # keycloak.openid.ClientAuthorizationPermission + * + * Allows you to manage openid Client Authorization Permissions. + * + * ### Example Usage + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.openid.Client; + * import com.pulumi.keycloak.openid.ClientArgs; + * import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs; + * import com.pulumi.keycloak.openid.OpenidFunctions; + * import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs; + * import com.pulumi.keycloak.openid.ClientAuthorizationResource; + * import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs; + * import com.pulumi.keycloak.openid.ClientAuthorizationScope; + * import com.pulumi.keycloak.openid.ClientAuthorizationScopeArgs; + * import com.pulumi.keycloak.openid.ClientAuthorizationPermission; + * import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("my-realm") + * .enabled(true) + * .build()); + * + * var testClient = new Client("testClient", ClientArgs.builder() + * .clientId("client_id") + * .realmId(realm.id()) + * .accessType("CONFIDENTIAL") + * .serviceAccountsEnabled(true) + * .authorization(ClientAuthorizationArgs.builder() + * .policyEnforcementMode("ENFORCING") + * .build()) + * .build()); + * + * final var default = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder() + * .realmId(realm.id()) + * .resourceServerId(testClient.resourceServerId()) + * .name("default") + * .build()); + * + * var testClientAuthorizationResource = new ClientAuthorizationResource("testClientAuthorizationResource", ClientAuthorizationResourceArgs.builder() + * .resourceServerId(testClient.resourceServerId()) + * .realmId(realm.id()) + * .uris("/endpoint/*") + * .build()); + * + * var testClientAuthorizationScope = new ClientAuthorizationScope("testClientAuthorizationScope", ClientAuthorizationScopeArgs.builder() + * .resourceServerId(testClient.resourceServerId()) + * .realmId(realm.id()) + * .build()); + * + * var testClientAuthorizationPermission = new ClientAuthorizationPermission("testClientAuthorizationPermission", ClientAuthorizationPermissionArgs.builder() + * .resourceServerId(testClient.resourceServerId()) + * .realmId(realm.id()) + * .policies(default_.applyValue(default_ -> default_.id())) + * .resources(testClientAuthorizationResource.id()) + * .build()); + * + * } + * } + * ``` + * + * ### Argument Reference + * + * The following arguments are supported: + * + * - `realm_id` - (Required) The realm this group exists in. + * - `resource_server_id` - (Required) The ID of the resource server. + * - `name` - (Required) The name of the permission. + * - `description` - (Optional) A description for the authorization permission. + * - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`. + * - `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission. + * - `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resource_type`. + * - `resource_type` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`. + * - `scopes` - (Optional) A list of scope IDs that this permission must be applied to. + * - `type` - (Optional) The type of permission, can be one of `resource` or `scope`. + * + * ### Attributes Reference + * + * In addition to the arguments listed above, the following computed attributes are exported: + * + * - `id` - Permission ID representing the permission. + * + * ## Import + * + * Client authorization permissions can be imported using the format`{{realmId}}/{{resourceServerId}}/{{permissionId}}`. Examplebash + * + * ```sh + * $ pulumi import keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9 + * ``` + * + */ @ResourceType(type="keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission") public class ClientAuthorizationPermission extends com.pulumi.resources.CustomResource { @Export(name="decisionStrategy", refs={String.class}, tree="[0]") diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientPermissions.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientPermissions.java index cb034066..8151c932 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientPermissions.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/ClientPermissions.java @@ -22,6 +22,143 @@ import java.util.Optional; import javax.annotation.Nullable; +/** + * ## # keycloak.openid.ClientPermissions + * + * Allows you to manage all openid client Scope Based Permissions. + * + * This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More + * information about enabling the preview feature can be found + * here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange + * + * When enabling Openid Client Permissions, Keycloak does several things automatically: + * + * 1. Enable Authorization on build-in realm-management client + * 2. Create scopes "view", "manage", "configure", "map-roles", "map-roles-client-scope", "map-roles-composite", " + * token-exchange" + * 3. Create a resource representing the openid client + * 4. Create all scope based permission for the scopes and openid client resource + * + * If the realm-management Authorization is not enable, you have to ceate a dependency (`depends_on`) with the policy and + * the openid client. + * + * ### Example Usage + * ```java + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.keycloak.Realm; + * import com.pulumi.keycloak.RealmArgs; + * import com.pulumi.keycloak.openid.Client; + * import com.pulumi.keycloak.openid.ClientArgs; + * import com.pulumi.keycloak.openid.OpenidFunctions; + * import com.pulumi.keycloak.openid.inputs.GetClientArgs; + * import com.pulumi.keycloak.User; + * import com.pulumi.keycloak.UserArgs; + * import com.pulumi.keycloak.openid.ClientUserPolicy; + * import com.pulumi.keycloak.openid.ClientUserPolicyArgs; + * import com.pulumi.keycloak.openid.ClientPermissions; + * import com.pulumi.keycloak.openid.ClientPermissionsArgs; + * import com.pulumi.keycloak.openid.inputs.ClientPermissionsViewScopeArgs; + * import com.pulumi.resources.CustomResourceOptions; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var realm = new Realm("realm", RealmArgs.builder() + * .realm("realm") + * .build()); + * + * var myOpenidClient = new Client("myOpenidClient", ClientArgs.builder() + * .realmId(realm.id()) + * .clientId("my_openid_client") + * .clientSecret("secret") + * .accessType("CONFIDENTIAL") + * .standardFlowEnabled(true) + * .validRedirectUris("http://localhost:8080/*") + * .build()); + * + * final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder() + * .realmId(realm.id()) + * .clientId("realm-management") + * .build()); + * + * var testUser = new User("testUser", UserArgs.builder() + * .realmId(realm.id()) + * .username("test-user") + * .email("test-user@fakedomain.com") + * .firstName("Testy") + * .lastName("Tester") + * .build()); + * + * var testClientUserPolicy = new ClientUserPolicy("testClientUserPolicy", ClientUserPolicyArgs.builder() + * .resourceServerId(realmManagement.applyValue(getClientResult -> getClientResult).applyValue(realmManagement -> realmManagement.applyValue(getClientResult -> getClientResult.id()))) + * .realmId(realm.id()) + * .users(testUser.id()) + * .logic("POSITIVE") + * .decisionStrategy("UNANIMOUS") + * .build(), CustomResourceOptions.builder() + * .dependsOn(myOpenidClient) + * .build()); + * + * var myPermission = new ClientPermissions("myPermission", ClientPermissionsArgs.builder() + * .realmId(realm.id()) + * .clientId(myOpenidClient.id()) + * .viewScope(ClientPermissionsViewScopeArgs.builder() + * .policies(testClientUserPolicy.id()) + * .description("my description") + * .decisionStrategy("UNANIMOUS") + * .build()) + * .build()); + * + * } + * } + * ``` + * + * ### Argument Reference + * + * The following arguments are supported: + * + * - `realm_id` - (Required) The realm this group exists in. + * - `client_id` - (Required) The id of the client that provides the role. + * + * #### Permission Scopes + * + * Permission scopes can be defined using the following attributes: + * + * - `view_scope` + * - `manage_scope` + * - `configure_scope` + * - `map_roles_scope` + * - `map_roles_client_scope_scope` + * - `map_roles_composite_scope` + * - `token_exchange_scope` + * + * Each of these attributes have the following schema: + * + * - `policies` - (Optional) A list of policy IDs + * - `description` - (Optional) A description for the permission scope + * - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. + * + * ### Attributes Reference + * + * In addition to the arguments listed above, the following computed attributes are exported: + * + * - `authorization_resource_server_id` - Resource server id representing the realm management client on which this + * permission is managed. + * + */ @ResourceType(type="keycloak:openid/clientPermissions:ClientPermissions") public class ClientPermissions extends com.pulumi.resources.CustomResource { /** diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMapperState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMapperState.java new file mode 100644 index 00000000..bbeee222 --- /dev/null +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMapperState.java @@ -0,0 +1,194 @@ +// *** WARNING: this file was generated by pulumi-java-gen. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +package com.pulumi.keycloak.openid.inputs; + +import com.pulumi.core.Output; +import com.pulumi.core.annotations.Import; +import java.lang.String; +import java.util.Objects; +import java.util.Optional; +import javax.annotation.Nullable; + + +public final class AudienceResolveProtocolMapperState extends com.pulumi.resources.ResourceArgs { + + public static final AudienceResolveProtocolMapperState Empty = new AudienceResolveProtocolMapperState(); + + /** + * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + @Import(name="clientId") + private @Nullable Output clientId; + + /** + * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + public Optional> clientId() { + return Optional.ofNullable(this.clientId); + } + + /** + * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + @Import(name="clientScopeId") + private @Nullable Output clientScopeId; + + /** + * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + */ + public Optional> clientScopeId() { + return Optional.ofNullable(this.clientScopeId); + } + + /** + * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + */ + @Import(name="name") + private @Nullable Output name; + + /** + * @return The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + */ + public Optional> name() { + return Optional.ofNullable(this.name); + } + + /** + * The realm this protocol mapper exists within. + * + */ + @Import(name="realmId") + private @Nullable Output realmId; + + /** + * @return The realm this protocol mapper exists within. + * + */ + public Optional> realmId() { + return Optional.ofNullable(this.realmId); + } + + private AudienceResolveProtocolMapperState() {} + + private AudienceResolveProtocolMapperState(AudienceResolveProtocolMapperState $) { + this.clientId = $.clientId; + this.clientScopeId = $.clientScopeId; + this.name = $.name; + this.realmId = $.realmId; + } + + public static Builder builder() { + return new Builder(); + } + public static Builder builder(AudienceResolveProtocolMapperState defaults) { + return new Builder(defaults); + } + + public static final class Builder { + private AudienceResolveProtocolMapperState $; + + public Builder() { + $ = new AudienceResolveProtocolMapperState(); + } + + public Builder(AudienceResolveProtocolMapperState defaults) { + $ = new AudienceResolveProtocolMapperState(Objects.requireNonNull(defaults)); + } + + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientId(@Nullable Output clientId) { + $.clientId = clientId; + return this; + } + + /** + * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientId(String clientId) { + return clientId(Output.of(clientId)); + } + + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientScopeId(@Nullable Output clientScopeId) { + $.clientScopeId = clientScopeId; + return this; + } + + /** + * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * + * @return builder + * + */ + public Builder clientScopeId(String clientScopeId) { + return clientScopeId(Output.of(clientScopeId)); + } + + /** + * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + * @return builder + * + */ + public Builder name(@Nullable Output name) { + $.name = name; + return this; + } + + /** + * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * + * @return builder + * + */ + public Builder name(String name) { + return name(Output.of(name)); + } + + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ + public Builder realmId(@Nullable Output realmId) { + $.realmId = realmId; + return this; + } + + /** + * @param realmId The realm this protocol mapper exists within. + * + * @return builder + * + */ + public Builder realmId(String realmId) { + return realmId(Output.of(realmId)); + } + + public AudienceResolveProtocolMapperState build() { + return $; + } + } + +} diff --git a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMappterState.java b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMappterState.java index 10f190df..04f88f73 100644 --- a/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMappterState.java +++ b/sdk/java/src/main/java/com/pulumi/keycloak/openid/inputs/AudienceResolveProtocolMappterState.java @@ -16,14 +16,14 @@ public final class AudienceResolveProtocolMappterState extends com.pulumi.resour public static final AudienceResolveProtocolMappterState Empty = new AudienceResolveProtocolMappterState(); /** - * The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * The mapper's associated client. Cannot be used at the same time as client_scope_id. * */ @Import(name="clientId") private @Nullable Output clientId; /** - * @return The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * @return The mapper's associated client. Cannot be used at the same time as client_scope_id. * */ public Optional> clientId() { @@ -31,14 +31,14 @@ public Optional> clientId() { } /** - * The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * The mapper's associated client scope. Cannot be used at the same time as client_id. * */ @Import(name="clientScopeId") private @Nullable Output clientScopeId; /** - * @return The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * @return The mapper's associated client scope. Cannot be used at the same time as client_id. * */ public Optional> clientScopeId() { @@ -46,14 +46,14 @@ public Optional> clientScopeId() { } /** - * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * A human-friendly name that will appear in the Keycloak console. * */ @Import(name="name") private @Nullable Output name; /** - * @return The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * @return A human-friendly name that will appear in the Keycloak console. * */ public Optional> name() { @@ -61,14 +61,14 @@ public Optional> name() { } /** - * The realm this protocol mapper exists within. + * The realm id where the associated client or client scope exists. * */ @Import(name="realmId") private @Nullable Output realmId; /** - * @return The realm this protocol mapper exists within. + * @return The realm id where the associated client or client scope exists. * */ public Optional> realmId() { @@ -103,7 +103,7 @@ public Builder(AudienceResolveProtocolMappterState defaults) { } /** - * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. * * @return builder * @@ -114,7 +114,7 @@ public Builder clientId(@Nullable Output clientId) { } /** - * @param clientId The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientId The mapper's associated client. Cannot be used at the same time as client_scope_id. * * @return builder * @@ -124,7 +124,7 @@ public Builder clientId(String clientId) { } /** - * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. * * @return builder * @@ -135,7 +135,7 @@ public Builder clientScopeId(@Nullable Output clientScopeId) { } /** - * @param clientScopeId The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + * @param clientScopeId The mapper's associated client scope. Cannot be used at the same time as client_id. * * @return builder * @@ -145,7 +145,7 @@ public Builder clientScopeId(String clientScopeId) { } /** - * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * @param name A human-friendly name that will appear in the Keycloak console. * * @return builder * @@ -156,7 +156,7 @@ public Builder name(@Nullable Output name) { } /** - * @param name The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * @param name A human-friendly name that will appear in the Keycloak console. * * @return builder * @@ -166,7 +166,7 @@ public Builder name(String name) { } /** - * @param realmId The realm this protocol mapper exists within. + * @param realmId The realm id where the associated client or client scope exists. * * @return builder * @@ -177,7 +177,7 @@ public Builder realmId(@Nullable Output realmId) { } /** - * @param realmId The realm this protocol mapper exists within. + * @param realmId The realm id where the associated client or client scope exists. * * @return builder * diff --git a/sdk/nodejs/attributeToRoleIdentityMapper.ts b/sdk/nodejs/attributeToRoleIdentityMapper.ts index 6217fafc..9395e924 100644 --- a/sdk/nodejs/attributeToRoleIdentityMapper.ts +++ b/sdk/nodejs/attributeToRoleIdentityMapper.ts @@ -4,6 +4,54 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; +/** + * Allows for creating and managing an attribute to role identity provider mapper within Keycloak. + * + * > If you are using Keycloak 10 or higher, you will need to specify the `extraConfig` argument in order to define a `syncMode` for the mapper. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const oidcIdentityProvider = new keycloak.oidc.IdentityProvider("oidcIdentityProvider", { + * realm: realm.id, + * alias: "oidc", + * authorizationUrl: "https://example.com/auth", + * tokenUrl: "https://example.com/token", + * clientId: "example_id", + * clientSecret: "example_token", + * defaultScopes: "openid random profile", + * }); + * const realmRole = new keycloak.Role("realmRole", { + * realmId: realm.id, + * description: "My Realm Role", + * }); + * const oidcAttributeToRoleIdentityMapper = new keycloak.AttributeToRoleIdentityMapper("oidcAttributeToRoleIdentityMapper", { + * realm: realm.id, + * identityProviderAlias: oidcIdentityProvider.alias, + * role: "my-realm-role", + * claimName: "my-claim", + * claimValue: "my-value", + * extraConfig: { + * syncMode: "INHERIT", + * }, + * }); + * ``` + * + * ## Import + * + * Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Examplebash + * + * ```sh + * $ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + * ``` + */ export class AttributeToRoleIdentityMapper extends pulumi.CustomResource { /** * Get an existing AttributeToRoleIdentityMapper resource's state with the given name, ID, and optional extra @@ -33,15 +81,15 @@ export class AttributeToRoleIdentityMapper extends pulumi.CustomResource { } /** - * Attribute Friendly Name + * Attribute Friendly Name. Conflicts with `attributeName`. */ public readonly attributeFriendlyName!: pulumi.Output; /** - * Attribute Name + * Attribute Name. */ public readonly attributeName!: pulumi.Output; /** - * Attribute Value + * Attribute Value. */ public readonly attributeValue!: pulumi.Output; /** @@ -52,21 +100,24 @@ export class AttributeToRoleIdentityMapper extends pulumi.CustomResource { * OIDC Claim Value */ public readonly claimValue!: pulumi.Output; + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + */ public readonly extraConfig!: pulumi.Output<{[key: string]: any} | undefined>; /** - * IDP Alias + * The alias of the associated identity provider. */ public readonly identityProviderAlias!: pulumi.Output; /** - * IDP Mapper Name + * The name of the mapper. */ public readonly name!: pulumi.Output; /** - * Realm Name + * The name of the realm. */ public readonly realm!: pulumi.Output; /** - * Role Name + * Role Name. */ public readonly role!: pulumi.Output; @@ -125,15 +176,15 @@ export class AttributeToRoleIdentityMapper extends pulumi.CustomResource { */ export interface AttributeToRoleIdentityMapperState { /** - * Attribute Friendly Name + * Attribute Friendly Name. Conflicts with `attributeName`. */ attributeFriendlyName?: pulumi.Input; /** - * Attribute Name + * Attribute Name. */ attributeName?: pulumi.Input; /** - * Attribute Value + * Attribute Value. */ attributeValue?: pulumi.Input; /** @@ -144,21 +195,24 @@ export interface AttributeToRoleIdentityMapperState { * OIDC Claim Value */ claimValue?: pulumi.Input; + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + */ extraConfig?: pulumi.Input<{[key: string]: any}>; /** - * IDP Alias + * The alias of the associated identity provider. */ identityProviderAlias?: pulumi.Input; /** - * IDP Mapper Name + * The name of the mapper. */ name?: pulumi.Input; /** - * Realm Name + * The name of the realm. */ realm?: pulumi.Input; /** - * Role Name + * Role Name. */ role?: pulumi.Input; } @@ -168,15 +222,15 @@ export interface AttributeToRoleIdentityMapperState { */ export interface AttributeToRoleIdentityMapperArgs { /** - * Attribute Friendly Name + * Attribute Friendly Name. Conflicts with `attributeName`. */ attributeFriendlyName?: pulumi.Input; /** - * Attribute Name + * Attribute Name. */ attributeName?: pulumi.Input; /** - * Attribute Value + * Attribute Value. */ attributeValue?: pulumi.Input; /** @@ -187,21 +241,24 @@ export interface AttributeToRoleIdentityMapperArgs { * OIDC Claim Value */ claimValue?: pulumi.Input; + /** + * Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + */ extraConfig?: pulumi.Input<{[key: string]: any}>; /** - * IDP Alias + * The alias of the associated identity provider. */ identityProviderAlias: pulumi.Input; /** - * IDP Mapper Name + * The name of the mapper. */ name?: pulumi.Input; /** - * Realm Name + * The name of the realm. */ realm: pulumi.Input; /** - * Role Name + * Role Name. */ role: pulumi.Input; } diff --git a/sdk/nodejs/hardcodedAttributeIdentityProviderMapper.ts b/sdk/nodejs/hardcodedAttributeIdentityProviderMapper.ts index b363472d..37e0da75 100644 --- a/sdk/nodejs/hardcodedAttributeIdentityProviderMapper.ts +++ b/sdk/nodejs/hardcodedAttributeIdentityProviderMapper.ts @@ -4,6 +4,41 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; +/** + * Allows for creating and managing hardcoded attribute mappers for Keycloak identity provider. + * + * The identity provider hardcoded attribute mapper will set the specified value to the IDP attribute. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const oidcIdentityProvider = new keycloak.oidc.IdentityProvider("oidcIdentityProvider", { + * realm: realm.id, + * alias: "my-idp", + * authorizationUrl: "https://authorizationurl.com", + * clientId: "clientID", + * clientSecret: "clientSecret", + * tokenUrl: "https://tokenurl.com", + * }); + * const oidcHardcodedAttributeIdentityProviderMapper = new keycloak.HardcodedAttributeIdentityProviderMapper("oidcHardcodedAttributeIdentityProviderMapper", { + * realm: realm.id, + * identityProviderAlias: oidcIdentityProvider.alias, + * attributeName: "attribute", + * attributeValue: "value", + * userSession: true, + * extraConfig: { + * syncMode: "INHERIT", + * }, + * }); + * ``` + */ export class HardcodedAttributeIdentityProviderMapper extends pulumi.CustomResource { /** * Get an existing HardcodedAttributeIdentityProviderMapper resource's state with the given name, ID, and optional extra @@ -33,28 +68,28 @@ export class HardcodedAttributeIdentityProviderMapper extends pulumi.CustomResou } /** - * OIDC Claim + * The name of the IDP attribute to set. */ public readonly attributeName!: pulumi.Output; /** - * User Attribute + * The value to set to the attribute. You can hardcode any value like 'foo'. */ public readonly attributeValue!: pulumi.Output; public readonly extraConfig!: pulumi.Output<{[key: string]: any} | undefined>; /** - * IDP Alias + * The IDP alias of the attribute to set. */ public readonly identityProviderAlias!: pulumi.Output; /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; /** - * Realm Name + * The realm ID that this mapper will exist in. */ public readonly realm!: pulumi.Output; /** - * Is Attribute Related To a User Session + * Is Attribute related to a User Session. */ public readonly userSession!: pulumi.Output; @@ -107,28 +142,28 @@ export class HardcodedAttributeIdentityProviderMapper extends pulumi.CustomResou */ export interface HardcodedAttributeIdentityProviderMapperState { /** - * OIDC Claim + * The name of the IDP attribute to set. */ attributeName?: pulumi.Input; /** - * User Attribute + * The value to set to the attribute. You can hardcode any value like 'foo'. */ attributeValue?: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: any}>; /** - * IDP Alias + * The IDP alias of the attribute to set. */ identityProviderAlias?: pulumi.Input; /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * Realm Name + * The realm ID that this mapper will exist in. */ realm?: pulumi.Input; /** - * Is Attribute Related To a User Session + * Is Attribute related to a User Session. */ userSession?: pulumi.Input; } @@ -138,28 +173,28 @@ export interface HardcodedAttributeIdentityProviderMapperState { */ export interface HardcodedAttributeIdentityProviderMapperArgs { /** - * OIDC Claim + * The name of the IDP attribute to set. */ attributeName?: pulumi.Input; /** - * User Attribute + * The value to set to the attribute. You can hardcode any value like 'foo'. */ attributeValue?: pulumi.Input; extraConfig?: pulumi.Input<{[key: string]: any}>; /** - * IDP Alias + * The IDP alias of the attribute to set. */ identityProviderAlias: pulumi.Input; /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * Realm Name + * The realm ID that this mapper will exist in. */ realm: pulumi.Input; /** - * Is Attribute Related To a User Session + * Is Attribute related to a User Session. */ userSession: pulumi.Input; } diff --git a/sdk/nodejs/hardcodedRoleIdentityMapper.ts b/sdk/nodejs/hardcodedRoleIdentityMapper.ts index 719585db..ac4869b1 100644 --- a/sdk/nodejs/hardcodedRoleIdentityMapper.ts +++ b/sdk/nodejs/hardcodedRoleIdentityMapper.ts @@ -4,6 +4,43 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "./utilities"; +/** + * Allows for creating and managing hardcoded role mappers for Keycloak identity provider. + * + * The identity provider hardcoded role mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const oidcIdentityProvider = new keycloak.oidc.IdentityProvider("oidcIdentityProvider", { + * realm: realm.id, + * alias: "my-idp", + * authorizationUrl: "https://authorizationurl.com", + * clientId: "clientID", + * clientSecret: "clientSecret", + * tokenUrl: "https://tokenurl.com", + * }); + * const realmRole = new keycloak.Role("realmRole", { + * realmId: realm.id, + * description: "My Realm Role", + * }); + * const oidcHardcodedRoleIdentityMapper = new keycloak.HardcodedRoleIdentityMapper("oidcHardcodedRoleIdentityMapper", { + * realm: realm.id, + * identityProviderAlias: oidcIdentityProvider.alias, + * role: "my-realm-role", + * extraConfig: { + * syncMode: "INHERIT", + * }, + * }); + * ``` + */ export class HardcodedRoleIdentityMapper extends pulumi.CustomResource { /** * Get an existing HardcodedRoleIdentityMapper resource's state with the given name, ID, and optional extra @@ -34,19 +71,19 @@ export class HardcodedRoleIdentityMapper extends pulumi.CustomResource { public readonly extraConfig!: pulumi.Output<{[key: string]: any} | undefined>; /** - * IDP Alias + * The IDP alias of the attribute to set. */ public readonly identityProviderAlias!: pulumi.Output; /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; /** - * Realm Name + * The realm ID that this mapper will exist in. */ public readonly realm!: pulumi.Output; /** - * Role Name + * The name of the role which should be assigned to the users. */ public readonly role!: pulumi.Output; @@ -93,19 +130,19 @@ export class HardcodedRoleIdentityMapper extends pulumi.CustomResource { export interface HardcodedRoleIdentityMapperState { extraConfig?: pulumi.Input<{[key: string]: any}>; /** - * IDP Alias + * The IDP alias of the attribute to set. */ identityProviderAlias?: pulumi.Input; /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * Realm Name + * The realm ID that this mapper will exist in. */ realm?: pulumi.Input; /** - * Role Name + * The name of the role which should be assigned to the users. */ role?: pulumi.Input; } @@ -116,19 +153,19 @@ export interface HardcodedRoleIdentityMapperState { export interface HardcodedRoleIdentityMapperArgs { extraConfig?: pulumi.Input<{[key: string]: any}>; /** - * IDP Alias + * The IDP alias of the attribute to set. */ identityProviderAlias: pulumi.Input; /** - * IDP Mapper Name + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * Realm Name + * The realm ID that this mapper will exist in. */ realm: pulumi.Input; /** - * Role Name + * The name of the role which should be assigned to the users. */ role?: pulumi.Input; } diff --git a/sdk/nodejs/ldap/hardcodedGroupMapper.ts b/sdk/nodejs/ldap/hardcodedGroupMapper.ts index 24b12080..ef8d9d7e 100644 --- a/sdk/nodejs/ldap/hardcodedGroupMapper.ts +++ b/sdk/nodejs/ldap/hardcodedGroupMapper.ts @@ -4,6 +4,51 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; +/** + * Allows for creating and managing hardcoded group mappers for Keycloak users federated via LDAP. + * + * The LDAP hardcoded group mapper will grant a specified Keycloak group to each Keycloak user linked with LDAP. + * + * ## Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const ldapUserFederation = new keycloak.ldap.UserFederation("ldapUserFederation", { + * realmId: realm.id, + * usernameLdapAttribute: "cn", + * rdnLdapAttribute: "cn", + * uuidLdapAttribute: "entryDN", + * userObjectClasses: [ + * "simpleSecurityObject", + * "organizationalRole", + * ], + * connectionUrl: "ldap://openldap", + * usersDn: "dc=example,dc=org", + * bindDn: "cn=admin,dc=example,dc=org", + * bindCredential: "admin", + * }); + * const realmGroup = new keycloak.Group("realmGroup", {realmId: realm.id}); + * const assignGroupToUsers = new keycloak.ldap.HardcodedGroupMapper("assignGroupToUsers", { + * realmId: realm.id, + * ldapUserFederationId: ldapUserFederation.id, + * group: realmGroup.name, + * }); + * ``` + * + * ## Import + * + * LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash + * + * ```sh + * $ pulumi import keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper assign_group_to_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + * ``` + */ export class HardcodedGroupMapper extends pulumi.CustomResource { /** * Get an existing HardcodedGroupMapper resource's state with the given name, ID, and optional extra @@ -33,19 +78,19 @@ export class HardcodedGroupMapper extends pulumi.CustomResource { } /** - * Group to grant to user. + * The name of the group which should be assigned to the users. */ public readonly group!: pulumi.Output; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ public readonly ldapUserFederationId!: pulumi.Output; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ public readonly name!: pulumi.Output; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ public readonly realmId!: pulumi.Output; @@ -92,19 +137,19 @@ export class HardcodedGroupMapper extends pulumi.CustomResource { */ export interface HardcodedGroupMapperState { /** - * Group to grant to user. + * The name of the group which should be assigned to the users. */ group?: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId?: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId?: pulumi.Input; } @@ -114,19 +159,19 @@ export interface HardcodedGroupMapperState { */ export interface HardcodedGroupMapperArgs { /** - * Group to grant to user. + * The name of the group which should be assigned to the users. */ group: pulumi.Input; /** - * The ldap user federation provider to attach this mapper to. + * The ID of the LDAP user federation provider to attach this mapper to. */ ldapUserFederationId: pulumi.Input; /** - * Display name of the mapper when displayed in the console. + * Display name of this mapper when displayed in the console. */ name?: pulumi.Input; /** - * The realm in which the ldap user federation provider exists. + * The realm that this LDAP mapper will exist in. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/audienceResolveProtocolMapper.ts b/sdk/nodejs/openid/audienceResolveProtocolMapper.ts new file mode 100644 index 00000000..d4e1af96 --- /dev/null +++ b/sdk/nodejs/openid/audienceResolveProtocolMapper.ts @@ -0,0 +1,187 @@ +// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +import * as pulumi from "@pulumi/pulumi"; +import * as utilities from "../utilities"; + +/** + * Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. + * + * This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles + * to imply which audiences are appropriate for the token. See the + * [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. + * + * ## Example Usage + * ### Client) + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const openidClient = new keycloak.openid.Client("openidClient", { + * realmId: realm.id, + * clientId: "client", + * enabled: true, + * accessType: "CONFIDENTIAL", + * validRedirectUris: ["http://localhost:8080/openid-callback"], + * }); + * const audienceMapper = new keycloak.openid.AudienceResolveProtocolMapper("audienceMapper", { + * realmId: realm.id, + * clientId: openidClient.id, + * }); + * ``` + * ### Client Scope) + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const clientScope = new keycloak.openid.ClientScope("clientScope", {realmId: realm.id}); + * const audienceMapper = new keycloak.openid.AudienceProtocolMapper("audienceMapper", { + * realmId: realm.id, + * clientScopeId: clientScope.id, + * }); + * ``` + * + * ## Import + * + * Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash + * + * ```sh + * $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + * + * ```sh + * $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + * ``` + */ +export class AudienceResolveProtocolMapper extends pulumi.CustomResource { + /** + * Get an existing AudienceResolveProtocolMapper resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param state Any extra arguments used during the lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + public static get(name: string, id: pulumi.Input, state?: AudienceResolveProtocolMapperState, opts?: pulumi.CustomResourceOptions): AudienceResolveProtocolMapper { + return new AudienceResolveProtocolMapper(name, state, { ...opts, id: id }); + } + + /** @internal */ + public static readonly __pulumiType = 'keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper'; + + /** + * Returns true if the given object is an instance of AudienceResolveProtocolMapper. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + public static isInstance(obj: any): obj is AudienceResolveProtocolMapper { + if (obj === undefined || obj === null) { + return false; + } + return obj['__pulumiType'] === AudienceResolveProtocolMapper.__pulumiType; + } + + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ + public readonly clientId!: pulumi.Output; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ + public readonly clientScopeId!: pulumi.Output; + /** + * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + */ + public readonly name!: pulumi.Output; + /** + * The realm this protocol mapper exists within. + */ + public readonly realmId!: pulumi.Output; + + /** + * Create a AudienceResolveProtocolMapper resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name: string, args: AudienceResolveProtocolMapperArgs, opts?: pulumi.CustomResourceOptions) + constructor(name: string, argsOrState?: AudienceResolveProtocolMapperArgs | AudienceResolveProtocolMapperState, opts?: pulumi.CustomResourceOptions) { + let resourceInputs: pulumi.Inputs = {}; + opts = opts || {}; + if (opts.id) { + const state = argsOrState as AudienceResolveProtocolMapperState | undefined; + resourceInputs["clientId"] = state ? state.clientId : undefined; + resourceInputs["clientScopeId"] = state ? state.clientScopeId : undefined; + resourceInputs["name"] = state ? state.name : undefined; + resourceInputs["realmId"] = state ? state.realmId : undefined; + } else { + const args = argsOrState as AudienceResolveProtocolMapperArgs | undefined; + if ((!args || args.realmId === undefined) && !opts.urn) { + throw new Error("Missing required property 'realmId'"); + } + resourceInputs["clientId"] = args ? args.clientId : undefined; + resourceInputs["clientScopeId"] = args ? args.clientScopeId : undefined; + resourceInputs["name"] = args ? args.name : undefined; + resourceInputs["realmId"] = args ? args.realmId : undefined; + } + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const aliasOpts = { aliases: [{ type: "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter" }] }; + opts = pulumi.mergeOptions(opts, aliasOpts); + super(AudienceResolveProtocolMapper.__pulumiType, name, resourceInputs, opts); + } +} + +/** + * Input properties used for looking up and filtering AudienceResolveProtocolMapper resources. + */ +export interface AudienceResolveProtocolMapperState { + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ + clientId?: pulumi.Input; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ + clientScopeId?: pulumi.Input; + /** + * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + */ + name?: pulumi.Input; + /** + * The realm this protocol mapper exists within. + */ + realmId?: pulumi.Input; +} + +/** + * The set of arguments for constructing a AudienceResolveProtocolMapper resource. + */ +export interface AudienceResolveProtocolMapperArgs { + /** + * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + */ + clientId?: pulumi.Input; + /** + * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + */ + clientScopeId?: pulumi.Input; + /** + * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + */ + name?: pulumi.Input; + /** + * The realm this protocol mapper exists within. + */ + realmId: pulumi.Input; +} diff --git a/sdk/nodejs/openid/audienceResolveProtocolMappter.ts b/sdk/nodejs/openid/audienceResolveProtocolMappter.ts index 3c1db1cf..f0a622d9 100644 --- a/sdk/nodejs/openid/audienceResolveProtocolMappter.ts +++ b/sdk/nodejs/openid/audienceResolveProtocolMappter.ts @@ -5,63 +5,7 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. - * - * This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles - * to imply which audiences are appropriate for the token. See the - * [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. - * - * ## Example Usage - * ### Client) - * - * ```typescript - * import * as pulumi from "@pulumi/pulumi"; - * import * as keycloak from "@pulumi/keycloak"; - * - * const realm = new keycloak.Realm("realm", { - * realm: "my-realm", - * enabled: true, - * }); - * const openidClient = new keycloak.openid.Client("openidClient", { - * realmId: realm.id, - * clientId: "client", - * enabled: true, - * accessType: "CONFIDENTIAL", - * validRedirectUris: ["http://localhost:8080/openid-callback"], - * }); - * const audienceMapper = new keycloak.openid.AudienceResolveProtocolMappter("audienceMapper", { - * realmId: realm.id, - * clientId: openidClient.id, - * }); - * ``` - * ### Client Scope) - * - * ```typescript - * import * as pulumi from "@pulumi/pulumi"; - * import * as keycloak from "@pulumi/keycloak"; - * - * const realm = new keycloak.Realm("realm", { - * realm: "my-realm", - * enabled: true, - * }); - * const clientScope = new keycloak.openid.ClientScope("clientScope", {realmId: realm.id}); - * const audienceMapper = new keycloak.openid.AudienceProtocolMapper("audienceMapper", { - * realmId: realm.id, - * clientScopeId: clientScope.id, - * }); - * ``` - * - * ## Import - * - * Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash - * - * ```sh - * $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - * ``` - * - * ```sh - * $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - * ``` + * @deprecated keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper */ export class AudienceResolveProtocolMappter extends pulumi.CustomResource { /** @@ -74,6 +18,7 @@ export class AudienceResolveProtocolMappter extends pulumi.CustomResource { * @param opts Optional settings to control the behavior of the CustomResource. */ public static get(name: string, id: pulumi.Input, state?: AudienceResolveProtocolMappterState, opts?: pulumi.CustomResourceOptions): AudienceResolveProtocolMappter { + pulumi.log.warn("AudienceResolveProtocolMappter is deprecated: keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper") return new AudienceResolveProtocolMappter(name, state, { ...opts, id: id }); } @@ -92,19 +37,19 @@ export class AudienceResolveProtocolMappter extends pulumi.CustomResource { } /** - * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + * The mapper's associated client. Cannot be used at the same time as client_scope_id. */ public readonly clientId!: pulumi.Output; /** - * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + * The mapper's associated client scope. Cannot be used at the same time as client_id. */ public readonly clientScopeId!: pulumi.Output; /** - * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * A human-friendly name that will appear in the Keycloak console. */ public readonly name!: pulumi.Output; /** - * The realm this protocol mapper exists within. + * The realm id where the associated client or client scope exists. */ public readonly realmId!: pulumi.Output; @@ -115,8 +60,11 @@ export class AudienceResolveProtocolMappter extends pulumi.CustomResource { * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ + /** @deprecated keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper */ constructor(name: string, args: AudienceResolveProtocolMappterArgs, opts?: pulumi.CustomResourceOptions) + /** @deprecated keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper */ constructor(name: string, argsOrState?: AudienceResolveProtocolMappterArgs | AudienceResolveProtocolMappterState, opts?: pulumi.CustomResourceOptions) { + pulumi.log.warn("AudienceResolveProtocolMappter is deprecated: keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper") let resourceInputs: pulumi.Inputs = {}; opts = opts || {}; if (opts.id) { @@ -145,19 +93,19 @@ export class AudienceResolveProtocolMappter extends pulumi.CustomResource { */ export interface AudienceResolveProtocolMappterState { /** - * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + * The mapper's associated client. Cannot be used at the same time as client_scope_id. */ clientId?: pulumi.Input; /** - * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + * The mapper's associated client scope. Cannot be used at the same time as client_id. */ clientScopeId?: pulumi.Input; /** - * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * A human-friendly name that will appear in the Keycloak console. */ name?: pulumi.Input; /** - * The realm this protocol mapper exists within. + * The realm id where the associated client or client scope exists. */ realmId?: pulumi.Input; } @@ -167,19 +115,19 @@ export interface AudienceResolveProtocolMappterState { */ export interface AudienceResolveProtocolMappterArgs { /** - * The client this protocol mapper should be attached to. Conflicts with `clientScopeId`. One of `clientId` or `clientScopeId` must be specified. + * The mapper's associated client. Cannot be used at the same time as client_scope_id. */ clientId?: pulumi.Input; /** - * The client scope this protocol mapper should be attached to. Conflicts with `clientId`. One of `clientId` or `clientScopeId` must be specified. + * The mapper's associated client scope. Cannot be used at the same time as client_id. */ clientScopeId?: pulumi.Input; /** - * The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + * A human-friendly name that will appear in the Keycloak console. */ name?: pulumi.Input; /** - * The realm this protocol mapper exists within. + * The realm id where the associated client or client scope exists. */ realmId: pulumi.Input; } diff --git a/sdk/nodejs/openid/clientAuthorizationPermission.ts b/sdk/nodejs/openid/clientAuthorizationPermission.ts index eab9867a..7ce0b121 100644 --- a/sdk/nodejs/openid/clientAuthorizationPermission.ts +++ b/sdk/nodejs/openid/clientAuthorizationPermission.ts @@ -4,6 +4,81 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; +/** + * ## # keycloak.openid.ClientAuthorizationPermission + * + * Allows you to manage openid Client Authorization Permissions. + * + * ### Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", { + * realm: "my-realm", + * enabled: true, + * }); + * const testClient = new keycloak.openid.Client("testClient", { + * clientId: "client_id", + * realmId: realm.id, + * accessType: "CONFIDENTIAL", + * serviceAccountsEnabled: true, + * authorization: { + * policyEnforcementMode: "ENFORCING", + * }, + * }); + * const default = keycloak.openid.getClientAuthorizationPolicyOutput({ + * realmId: realm.id, + * resourceServerId: testClient.resourceServerId, + * name: "default", + * }); + * const testClientAuthorizationResource = new keycloak.openid.ClientAuthorizationResource("testClientAuthorizationResource", { + * resourceServerId: testClient.resourceServerId, + * realmId: realm.id, + * uris: ["/endpoint/*"], + * }); + * const testClientAuthorizationScope = new keycloak.openid.ClientAuthorizationScope("testClientAuthorizationScope", { + * resourceServerId: testClient.resourceServerId, + * realmId: realm.id, + * }); + * const testClientAuthorizationPermission = new keycloak.openid.ClientAuthorizationPermission("testClientAuthorizationPermission", { + * resourceServerId: testClient.resourceServerId, + * realmId: realm.id, + * policies: [_default.apply(_default => _default.id)], + * resources: [testClientAuthorizationResource.id], + * }); + * ``` + * + * ### Argument Reference + * + * The following arguments are supported: + * + * - `realmId` - (Required) The realm this group exists in. + * - `resourceServerId` - (Required) The ID of the resource server. + * - `name` - (Required) The name of the permission. + * - `description` - (Optional) A description for the authorization permission. + * - `decisionStrategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`. + * - `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission. + * - `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resourceType`. + * - `resourceType` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`. + * - `scopes` - (Optional) A list of scope IDs that this permission must be applied to. + * - `type` - (Optional) The type of permission, can be one of `resource` or `scope`. + * + * ### Attributes Reference + * + * In addition to the arguments listed above, the following computed attributes are exported: + * + * - `id` - Permission ID representing the permission. + * + * ## Import + * + * Client authorization permissions can be imported using the format`{{realmId}}/{{resourceServerId}}/{{permissionId}}`. Examplebash + * + * ```sh + * $ pulumi import keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9 + * ``` + */ export class ClientAuthorizationPermission extends pulumi.CustomResource { /** * Get an existing ClientAuthorizationPermission resource's state with the given name, ID, and optional extra diff --git a/sdk/nodejs/openid/clientPermissions.ts b/sdk/nodejs/openid/clientPermissions.ts index c785804c..5599518d 100644 --- a/sdk/nodejs/openid/clientPermissions.ts +++ b/sdk/nodejs/openid/clientPermissions.ts @@ -6,6 +6,104 @@ import * as inputs from "../types/input"; import * as outputs from "../types/output"; import * as utilities from "../utilities"; +/** + * ## # keycloak.openid.ClientPermissions + * + * Allows you to manage all openid client Scope Based Permissions. + * + * This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More + * information about enabling the preview feature can be found + * here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange + * + * When enabling Openid Client Permissions, Keycloak does several things automatically: + * + * 1. Enable Authorization on build-in realm-management client + * 2. Create scopes "view", "manage", "configure", "map-roles", "map-roles-client-scope", "map-roles-composite", " + * token-exchange" + * 3. Create a resource representing the openid client + * 4. Create all scope based permission for the scopes and openid client resource + * + * If the realm-management Authorization is not enable, you have to ceate a dependency (`dependsOn`) with the policy and + * the openid client. + * + * ### Example Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as keycloak from "@pulumi/keycloak"; + * + * const realm = new keycloak.Realm("realm", {realm: "realm"}); + * const myOpenidClient = new keycloak.openid.Client("myOpenidClient", { + * realmId: realm.id, + * clientId: "my_openid_client", + * clientSecret: "secret", + * accessType: "CONFIDENTIAL", + * standardFlowEnabled: true, + * validRedirectUris: ["http://localhost:8080/*"], + * }); + * const realmManagement = keycloak.openid.getClientOutput({ + * realmId: realm.id, + * clientId: "realm-management", + * }); + * const testUser = new keycloak.User("testUser", { + * realmId: realm.id, + * username: "test-user", + * email: "test-user@fakedomain.com", + * firstName: "Testy", + * lastName: "Tester", + * }); + * const testClientUserPolicy = new keycloak.openid.ClientUserPolicy("testClientUserPolicy", { + * resourceServerId: realmManagement.apply(realmManagement => realmManagement.id), + * realmId: realm.id, + * users: [testUser.id], + * logic: "POSITIVE", + * decisionStrategy: "UNANIMOUS", + * }, { + * dependsOn: [myOpenidClient], + * }); + * const myPermission = new keycloak.openid.ClientPermissions("myPermission", { + * realmId: realm.id, + * clientId: myOpenidClient.id, + * viewScope: { + * policies: [testClientUserPolicy.id], + * description: "my description", + * decisionStrategy: "UNANIMOUS", + * }, + * }); + * ``` + * + * ### Argument Reference + * + * The following arguments are supported: + * + * - `realmId` - (Required) The realm this group exists in. + * - `clientId` - (Required) The id of the client that provides the role. + * + * #### Permission Scopes + * + * Permission scopes can be defined using the following attributes: + * + * - `viewScope` + * - `manageScope` + * - `configureScope` + * - `mapRolesScope` + * - `mapRolesClientScopeScope` + * - `mapRolesCompositeScope` + * - `tokenExchangeScope` + * + * Each of these attributes have the following schema: + * + * - `policies` - (Optional) A list of policy IDs + * - `description` - (Optional) A description for the permission scope + * - `decisionStrategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. + * + * ### Attributes Reference + * + * In addition to the arguments listed above, the following computed attributes are exported: + * + * - `authorizationResourceServerId` - Resource server id representing the realm management client on which this + * permission is managed. + */ export class ClientPermissions extends pulumi.CustomResource { /** * Get an existing ClientPermissions resource's state with the given name, ID, and optional extra diff --git a/sdk/nodejs/openid/index.ts b/sdk/nodejs/openid/index.ts index f8181d19..89dfe4da 100644 --- a/sdk/nodejs/openid/index.ts +++ b/sdk/nodejs/openid/index.ts @@ -10,6 +10,11 @@ export type AudienceProtocolMapper = import("./audienceProtocolMapper").Audience export const AudienceProtocolMapper: typeof import("./audienceProtocolMapper").AudienceProtocolMapper = null as any; utilities.lazyLoad(exports, ["AudienceProtocolMapper"], () => require("./audienceProtocolMapper")); +export { AudienceResolveProtocolMapperArgs, AudienceResolveProtocolMapperState } from "./audienceResolveProtocolMapper"; +export type AudienceResolveProtocolMapper = import("./audienceResolveProtocolMapper").AudienceResolveProtocolMapper; +export const AudienceResolveProtocolMapper: typeof import("./audienceResolveProtocolMapper").AudienceResolveProtocolMapper = null as any; +utilities.lazyLoad(exports, ["AudienceResolveProtocolMapper"], () => require("./audienceResolveProtocolMapper")); + export { AudienceResolveProtocolMappterArgs, AudienceResolveProtocolMappterState } from "./audienceResolveProtocolMappter"; export type AudienceResolveProtocolMappter = import("./audienceResolveProtocolMappter").AudienceResolveProtocolMappter; export const AudienceResolveProtocolMappter: typeof import("./audienceResolveProtocolMappter").AudienceResolveProtocolMappter = null as any; @@ -177,6 +182,8 @@ const _module = { switch (type) { case "keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper": return new AudienceProtocolMapper(name, undefined, { urn }) + case "keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper": + return new AudienceResolveProtocolMapper(name, undefined, { urn }) case "keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter": return new AudienceResolveProtocolMappter(name, undefined, { urn }) case "keycloak:openid/client:Client": @@ -239,6 +246,7 @@ const _module = { }, }; pulumi.runtime.registerResourceModule("keycloak", "openid/audienceProtocolMapper", _module) +pulumi.runtime.registerResourceModule("keycloak", "openid/audienceResolveProtocolMapper", _module) pulumi.runtime.registerResourceModule("keycloak", "openid/audienceResolveProtocolMappter", _module) pulumi.runtime.registerResourceModule("keycloak", "openid/client", _module) pulumi.runtime.registerResourceModule("keycloak", "openid/clientAggregatePolicy", _module) diff --git a/sdk/nodejs/tsconfig.json b/sdk/nodejs/tsconfig.json index 7ffd8ca8..8cb35bc6 100644 --- a/sdk/nodejs/tsconfig.json +++ b/sdk/nodejs/tsconfig.json @@ -63,6 +63,7 @@ "oidc/identityProvider.ts", "oidc/index.ts", "openid/audienceProtocolMapper.ts", + "openid/audienceResolveProtocolMapper.ts", "openid/audienceResolveProtocolMappter.ts", "openid/client.ts", "openid/clientAggregatePolicy.ts", diff --git a/sdk/nodejs/usersPermissions.ts b/sdk/nodejs/usersPermissions.ts index 089f1bbf..f8f82188 100644 --- a/sdk/nodejs/usersPermissions.ts +++ b/sdk/nodejs/usersPermissions.ts @@ -6,6 +6,36 @@ import * as inputs from "./types/input"; import * as outputs from "./types/output"; import * as utilities from "./utilities"; +/** + * ## Example Usage + * ### Argument Reference + * + * The following arguments are supported: + * + * - `realmId` - (Required) The realm in which to manage fine-grained user permissions. + * + * Each of the scopes that can be managed are defined below: + * + * - `viewScope` - (Optional) When specified, set the scope based view permission. + * - `manageScope` - (Optional) When specified, set the scope based manage permission. + * - `mapRolesScope` - (Optional) When specified, set the scope based mapRoles permission. + * - `manageGroupMembershipScope` - (Optional) When specified, set the scope based manageGroupMembership permission. + * - `impersonateScope` - (Optional) When specified, set the scope based impersonate permission. + * - `userImpersonatedScope` - (Optional) When specified, set the scope based userImpersonated permission. + * + * The configuration block for each of these scopes supports the following arguments: + * + * - `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. + * - `description` - (Optional) Description of the permission. + * - `decisionStrategy` - (Optional) Decision strategy of the permission. + * + * ### Attributes Reference + * + * In addition to the arguments listed above, the following computed attributes are exported: + * + * - `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`. + * - `authorizationResourceServerId` - Resource server id representing the realm management client on which these permissions are managed. + */ export class UsersPermissions extends pulumi.CustomResource { /** * Get an existing UsersPermissions resource's state with the given name, ID, and optional extra diff --git a/sdk/python/pulumi_keycloak/__init__.py b/sdk/python/pulumi_keycloak/__init__.py index d4b02e62..92251734 100644 --- a/sdk/python/pulumi_keycloak/__init__.py +++ b/sdk/python/pulumi_keycloak/__init__.py @@ -484,6 +484,14 @@ "keycloak:openid/audienceProtocolMapper:AudienceProtocolMapper": "AudienceProtocolMapper" } }, + { + "pkg": "keycloak", + "mod": "openid/audienceResolveProtocolMapper", + "fqn": "pulumi_keycloak.openid", + "classes": { + "keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper": "AudienceResolveProtocolMapper" + } + }, { "pkg": "keycloak", "mod": "openid/audienceResolveProtocolMappter", diff --git a/sdk/python/pulumi_keycloak/attribute_to_role_identity_mapper.py b/sdk/python/pulumi_keycloak/attribute_to_role_identity_mapper.py index cf56b785..1837c7fc 100644 --- a/sdk/python/pulumi_keycloak/attribute_to_role_identity_mapper.py +++ b/sdk/python/pulumi_keycloak/attribute_to_role_identity_mapper.py @@ -26,15 +26,16 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a AttributeToRoleIdentityMapper resource. - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] role: Role Name - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] attribute_value: Attribute Value + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] role: Role Name. + :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: Attribute Name. + :param pulumi.Input[str] attribute_value: Attribute Value. :param pulumi.Input[str] claim_name: OIDC Claim Name :param pulumi.Input[str] claim_value: OIDC Claim Value - :param pulumi.Input[str] name: IDP Mapper Name + :param pulumi.Input[Mapping[str, Any]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] name: The name of the mapper. """ pulumi.set(__self__, "identity_provider_alias", identity_provider_alias) pulumi.set(__self__, "realm", realm) @@ -58,7 +59,7 @@ def __init__(__self__, *, @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Input[str]: """ - IDP Alias + The alias of the associated identity provider. """ return pulumi.get(self, "identity_provider_alias") @@ -70,7 +71,7 @@ def identity_provider_alias(self, value: pulumi.Input[str]): @pulumi.getter def realm(self) -> pulumi.Input[str]: """ - Realm Name + The name of the realm. """ return pulumi.get(self, "realm") @@ -82,7 +83,7 @@ def realm(self, value: pulumi.Input[str]): @pulumi.getter def role(self) -> pulumi.Input[str]: """ - Role Name + Role Name. """ return pulumi.get(self, "role") @@ -94,7 +95,7 @@ def role(self, value: pulumi.Input[str]): @pulumi.getter(name="attributeFriendlyName") def attribute_friendly_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Friendly Name + Attribute Friendly Name. Conflicts with `attribute_name`. """ return pulumi.get(self, "attribute_friendly_name") @@ -106,7 +107,7 @@ def attribute_friendly_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeName") def attribute_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Name + Attribute Name. """ return pulumi.get(self, "attribute_name") @@ -118,7 +119,7 @@ def attribute_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeValue") def attribute_value(self) -> Optional[pulumi.Input[str]]: """ - Attribute Value + Attribute Value. """ return pulumi.get(self, "attribute_value") @@ -153,6 +154,9 @@ def claim_value(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="extraConfig") def extra_config(self) -> Optional[pulumi.Input[Mapping[str, Any]]]: + """ + Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + """ return pulumi.get(self, "extra_config") @extra_config.setter @@ -163,7 +167,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + The name of the mapper. """ return pulumi.get(self, "name") @@ -187,15 +191,16 @@ def __init__(__self__, *, role: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering AttributeToRoleIdentityMapper resources. - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] attribute_value: Attribute Value + :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: Attribute Name. + :param pulumi.Input[str] attribute_value: Attribute Value. :param pulumi.Input[str] claim_name: OIDC Claim Name :param pulumi.Input[str] claim_value: OIDC Claim Value - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] role: Role Name + :param pulumi.Input[Mapping[str, Any]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] name: The name of the mapper. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] role: Role Name. """ if attribute_friendly_name is not None: pulumi.set(__self__, "attribute_friendly_name", attribute_friendly_name) @@ -222,7 +227,7 @@ def __init__(__self__, *, @pulumi.getter(name="attributeFriendlyName") def attribute_friendly_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Friendly Name + Attribute Friendly Name. Conflicts with `attribute_name`. """ return pulumi.get(self, "attribute_friendly_name") @@ -234,7 +239,7 @@ def attribute_friendly_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeName") def attribute_name(self) -> Optional[pulumi.Input[str]]: """ - Attribute Name + Attribute Name. """ return pulumi.get(self, "attribute_name") @@ -246,7 +251,7 @@ def attribute_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeValue") def attribute_value(self) -> Optional[pulumi.Input[str]]: """ - Attribute Value + Attribute Value. """ return pulumi.get(self, "attribute_value") @@ -281,6 +286,9 @@ def claim_value(self, value: Optional[pulumi.Input[str]]): @property @pulumi.getter(name="extraConfig") def extra_config(self) -> Optional[pulumi.Input[Mapping[str, Any]]]: + """ + Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + """ return pulumi.get(self, "extra_config") @extra_config.setter @@ -291,7 +299,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]): @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> Optional[pulumi.Input[str]]: """ - IDP Alias + The alias of the associated identity provider. """ return pulumi.get(self, "identity_provider_alias") @@ -303,7 +311,7 @@ def identity_provider_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + The name of the mapper. """ return pulumi.get(self, "name") @@ -315,7 +323,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def realm(self) -> Optional[pulumi.Input[str]]: """ - Realm Name + The name of the realm. """ return pulumi.get(self, "realm") @@ -327,7 +335,7 @@ def realm(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def role(self) -> Optional[pulumi.Input[str]]: """ - Role Name + Role Name. """ return pulumi.get(self, "role") @@ -353,18 +361,61 @@ def __init__(__self__, role: Optional[pulumi.Input[str]] = None, __props__=None): """ - Create a AttributeToRoleIdentityMapper resource with the given unique name, props, and options. + Allows for creating and managing an attribute to role identity provider mapper within Keycloak. + + > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + oidc_identity_provider = keycloak.oidc.IdentityProvider("oidcIdentityProvider", + realm=realm.id, + alias="oidc", + authorization_url="https://example.com/auth", + token_url="https://example.com/token", + client_id="example_id", + client_secret="example_token", + default_scopes="openid random profile") + realm_role = keycloak.Role("realmRole", + realm_id=realm.id, + description="My Realm Role") + oidc_attribute_to_role_identity_mapper = keycloak.AttributeToRoleIdentityMapper("oidcAttributeToRoleIdentityMapper", + realm=realm.id, + identity_provider_alias=oidc_identity_provider.alias, + role="my-realm-role", + claim_name="my-claim", + claim_value="my-value", + extra_config={ + "syncMode": "INHERIT", + }) + ``` + + ## Import + + Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Examplebash + + ```sh + $ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] attribute_value: Attribute Value + :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: Attribute Name. + :param pulumi.Input[str] attribute_value: Attribute Value. :param pulumi.Input[str] claim_name: OIDC Claim Name :param pulumi.Input[str] claim_value: OIDC Claim Value - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] role: Role Name + :param pulumi.Input[Mapping[str, Any]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] name: The name of the mapper. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] role: Role Name. """ ... @overload @@ -373,7 +424,49 @@ def __init__(__self__, args: AttributeToRoleIdentityMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a AttributeToRoleIdentityMapper resource with the given unique name, props, and options. + Allows for creating and managing an attribute to role identity provider mapper within Keycloak. + + > If you are using Keycloak 10 or higher, you will need to specify the `extra_config` argument in order to define a `syncMode` for the mapper. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + oidc_identity_provider = keycloak.oidc.IdentityProvider("oidcIdentityProvider", + realm=realm.id, + alias="oidc", + authorization_url="https://example.com/auth", + token_url="https://example.com/token", + client_id="example_id", + client_secret="example_token", + default_scopes="openid random profile") + realm_role = keycloak.Role("realmRole", + realm_id=realm.id, + description="My Realm Role") + oidc_attribute_to_role_identity_mapper = keycloak.AttributeToRoleIdentityMapper("oidcAttributeToRoleIdentityMapper", + realm=realm.id, + identity_provider_alias=oidc_identity_provider.alias, + role="my-realm-role", + claim_name="my-claim", + claim_value="my-value", + extra_config={ + "syncMode": "INHERIT", + }) + ``` + + ## Import + + Identity provider mappers can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. Examplebash + + ```sh + $ pulumi import keycloak:index/attributeToRoleIdentityMapper:AttributeToRoleIdentityMapper test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b + ``` + :param str resource_name: The name of the resource. :param AttributeToRoleIdentityMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -451,15 +544,16 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name - :param pulumi.Input[str] attribute_name: Attribute Name - :param pulumi.Input[str] attribute_value: Attribute Value + :param pulumi.Input[str] attribute_friendly_name: Attribute Friendly Name. Conflicts with `attribute_name`. + :param pulumi.Input[str] attribute_name: Attribute Name. + :param pulumi.Input[str] attribute_value: Attribute Value. :param pulumi.Input[str] claim_name: OIDC Claim Name :param pulumi.Input[str] claim_value: OIDC Claim Value - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] role: Role Name + :param pulumi.Input[Mapping[str, Any]] extra_config: Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + :param pulumi.Input[str] identity_provider_alias: The alias of the associated identity provider. + :param pulumi.Input[str] name: The name of the mapper. + :param pulumi.Input[str] realm: The name of the realm. + :param pulumi.Input[str] role: Role Name. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -481,7 +575,7 @@ def get(resource_name: str, @pulumi.getter(name="attributeFriendlyName") def attribute_friendly_name(self) -> pulumi.Output[Optional[str]]: """ - Attribute Friendly Name + Attribute Friendly Name. Conflicts with `attribute_name`. """ return pulumi.get(self, "attribute_friendly_name") @@ -489,7 +583,7 @@ def attribute_friendly_name(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="attributeName") def attribute_name(self) -> pulumi.Output[Optional[str]]: """ - Attribute Name + Attribute Name. """ return pulumi.get(self, "attribute_name") @@ -497,7 +591,7 @@ def attribute_name(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="attributeValue") def attribute_value(self) -> pulumi.Output[Optional[str]]: """ - Attribute Value + Attribute Value. """ return pulumi.get(self, "attribute_value") @@ -520,13 +614,16 @@ def claim_value(self) -> pulumi.Output[Optional[str]]: @property @pulumi.getter(name="extraConfig") def extra_config(self) -> pulumi.Output[Optional[Mapping[str, Any]]]: + """ + Key/value attributes to add to the identity provider mapper model that is persisted to Keycloak. This can be used to extend the base model with new Keycloak features. + """ return pulumi.get(self, "extra_config") @property @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Output[str]: """ - IDP Alias + The alias of the associated identity provider. """ return pulumi.get(self, "identity_provider_alias") @@ -534,7 +631,7 @@ def identity_provider_alias(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - IDP Mapper Name + The name of the mapper. """ return pulumi.get(self, "name") @@ -542,7 +639,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter def realm(self) -> pulumi.Output[str]: """ - Realm Name + The name of the realm. """ return pulumi.get(self, "realm") @@ -550,7 +647,7 @@ def realm(self) -> pulumi.Output[str]: @pulumi.getter def role(self) -> pulumi.Output[str]: """ - Role Name + Role Name. """ return pulumi.get(self, "role") diff --git a/sdk/python/pulumi_keycloak/hardcoded_attribute_identity_provider_mapper.py b/sdk/python/pulumi_keycloak/hardcoded_attribute_identity_provider_mapper.py index 1bf2b499..6c4a0a37 100644 --- a/sdk/python/pulumi_keycloak/hardcoded_attribute_identity_provider_mapper.py +++ b/sdk/python/pulumi_keycloak/hardcoded_attribute_identity_provider_mapper.py @@ -23,12 +23,12 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a HardcodedAttributeIdentityProviderMapper resource. - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[bool] user_session: Is Attribute Related To a User Session - :param pulumi.Input[str] attribute_name: OIDC Claim - :param pulumi.Input[str] attribute_value: User Attribute - :param pulumi.Input[str] name: IDP Mapper Name + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[bool] user_session: Is Attribute related to a User Session. + :param pulumi.Input[str] attribute_name: The name of the IDP attribute to set. + :param pulumi.Input[str] attribute_value: The value to set to the attribute. You can hardcode any value like 'foo'. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. """ pulumi.set(__self__, "identity_provider_alias", identity_provider_alias) pulumi.set(__self__, "realm", realm) @@ -46,7 +46,7 @@ def __init__(__self__, *, @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Input[str]: """ - IDP Alias + The IDP alias of the attribute to set. """ return pulumi.get(self, "identity_provider_alias") @@ -58,7 +58,7 @@ def identity_provider_alias(self, value: pulumi.Input[str]): @pulumi.getter def realm(self) -> pulumi.Input[str]: """ - Realm Name + The realm ID that this mapper will exist in. """ return pulumi.get(self, "realm") @@ -70,7 +70,7 @@ def realm(self, value: pulumi.Input[str]): @pulumi.getter(name="userSession") def user_session(self) -> pulumi.Input[bool]: """ - Is Attribute Related To a User Session + Is Attribute related to a User Session. """ return pulumi.get(self, "user_session") @@ -82,7 +82,7 @@ def user_session(self, value: pulumi.Input[bool]): @pulumi.getter(name="attributeName") def attribute_name(self) -> Optional[pulumi.Input[str]]: """ - OIDC Claim + The name of the IDP attribute to set. """ return pulumi.get(self, "attribute_name") @@ -94,7 +94,7 @@ def attribute_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeValue") def attribute_value(self) -> Optional[pulumi.Input[str]]: """ - User Attribute + The value to set to the attribute. You can hardcode any value like 'foo'. """ return pulumi.get(self, "attribute_value") @@ -115,7 +115,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -136,12 +136,12 @@ def __init__(__self__, *, user_session: Optional[pulumi.Input[bool]] = None): """ Input properties used for looking up and filtering HardcodedAttributeIdentityProviderMapper resources. - :param pulumi.Input[str] attribute_name: OIDC Claim - :param pulumi.Input[str] attribute_value: User Attribute - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[bool] user_session: Is Attribute Related To a User Session + :param pulumi.Input[str] attribute_name: The name of the IDP attribute to set. + :param pulumi.Input[str] attribute_value: The value to set to the attribute. You can hardcode any value like 'foo'. + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[bool] user_session: Is Attribute related to a User Session. """ if attribute_name is not None: pulumi.set(__self__, "attribute_name", attribute_name) @@ -162,7 +162,7 @@ def __init__(__self__, *, @pulumi.getter(name="attributeName") def attribute_name(self) -> Optional[pulumi.Input[str]]: """ - OIDC Claim + The name of the IDP attribute to set. """ return pulumi.get(self, "attribute_name") @@ -174,7 +174,7 @@ def attribute_name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="attributeValue") def attribute_value(self) -> Optional[pulumi.Input[str]]: """ - User Attribute + The value to set to the attribute. You can hardcode any value like 'foo'. """ return pulumi.get(self, "attribute_value") @@ -195,7 +195,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]): @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> Optional[pulumi.Input[str]]: """ - IDP Alias + The IDP alias of the attribute to set. """ return pulumi.get(self, "identity_provider_alias") @@ -207,7 +207,7 @@ def identity_provider_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -219,7 +219,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def realm(self) -> Optional[pulumi.Input[str]]: """ - Realm Name + The realm ID that this mapper will exist in. """ return pulumi.get(self, "realm") @@ -231,7 +231,7 @@ def realm(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="userSession") def user_session(self) -> Optional[pulumi.Input[bool]]: """ - Is Attribute Related To a User Session + Is Attribute related to a User Session. """ return pulumi.get(self, "user_session") @@ -254,15 +254,45 @@ def __init__(__self__, user_session: Optional[pulumi.Input[bool]] = None, __props__=None): """ - Create a HardcodedAttributeIdentityProviderMapper resource with the given unique name, props, and options. + Allows for creating and managing hardcoded attribute mappers for Keycloak identity provider. + + The identity provider hardcoded attribute mapper will set the specified value to the IDP attribute. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + oidc_identity_provider = keycloak.oidc.IdentityProvider("oidcIdentityProvider", + realm=realm.id, + alias="my-idp", + authorization_url="https://authorizationurl.com", + client_id="clientID", + client_secret="clientSecret", + token_url="https://tokenurl.com") + oidc_hardcoded_attribute_identity_provider_mapper = keycloak.HardcodedAttributeIdentityProviderMapper("oidcHardcodedAttributeIdentityProviderMapper", + realm=realm.id, + identity_provider_alias=oidc_identity_provider.alias, + attribute_name="attribute", + attribute_value="value", + user_session=True, + extra_config={ + "syncMode": "INHERIT", + }) + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] attribute_name: OIDC Claim - :param pulumi.Input[str] attribute_value: User Attribute - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[bool] user_session: Is Attribute Related To a User Session + :param pulumi.Input[str] attribute_name: The name of the IDP attribute to set. + :param pulumi.Input[str] attribute_value: The value to set to the attribute. You can hardcode any value like 'foo'. + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[bool] user_session: Is Attribute related to a User Session. """ ... @overload @@ -271,7 +301,37 @@ def __init__(__self__, args: HardcodedAttributeIdentityProviderMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a HardcodedAttributeIdentityProviderMapper resource with the given unique name, props, and options. + Allows for creating and managing hardcoded attribute mappers for Keycloak identity provider. + + The identity provider hardcoded attribute mapper will set the specified value to the IDP attribute. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + oidc_identity_provider = keycloak.oidc.IdentityProvider("oidcIdentityProvider", + realm=realm.id, + alias="my-idp", + authorization_url="https://authorizationurl.com", + client_id="clientID", + client_secret="clientSecret", + token_url="https://tokenurl.com") + oidc_hardcoded_attribute_identity_provider_mapper = keycloak.HardcodedAttributeIdentityProviderMapper("oidcHardcodedAttributeIdentityProviderMapper", + realm=realm.id, + identity_provider_alias=oidc_identity_provider.alias, + attribute_name="attribute", + attribute_value="value", + user_session=True, + extra_config={ + "syncMode": "INHERIT", + }) + ``` + :param str resource_name: The name of the resource. :param HardcodedAttributeIdentityProviderMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -340,12 +400,12 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] attribute_name: OIDC Claim - :param pulumi.Input[str] attribute_value: User Attribute - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[bool] user_session: Is Attribute Related To a User Session + :param pulumi.Input[str] attribute_name: The name of the IDP attribute to set. + :param pulumi.Input[str] attribute_value: The value to set to the attribute. You can hardcode any value like 'foo'. + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[bool] user_session: Is Attribute related to a User Session. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -364,7 +424,7 @@ def get(resource_name: str, @pulumi.getter(name="attributeName") def attribute_name(self) -> pulumi.Output[Optional[str]]: """ - OIDC Claim + The name of the IDP attribute to set. """ return pulumi.get(self, "attribute_name") @@ -372,7 +432,7 @@ def attribute_name(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="attributeValue") def attribute_value(self) -> pulumi.Output[Optional[str]]: """ - User Attribute + The value to set to the attribute. You can hardcode any value like 'foo'. """ return pulumi.get(self, "attribute_value") @@ -385,7 +445,7 @@ def extra_config(self) -> pulumi.Output[Optional[Mapping[str, Any]]]: @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Output[str]: """ - IDP Alias + The IDP alias of the attribute to set. """ return pulumi.get(self, "identity_provider_alias") @@ -393,7 +453,7 @@ def identity_provider_alias(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - IDP Mapper Name + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -401,7 +461,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter def realm(self) -> pulumi.Output[str]: """ - Realm Name + The realm ID that this mapper will exist in. """ return pulumi.get(self, "realm") @@ -409,7 +469,7 @@ def realm(self) -> pulumi.Output[str]: @pulumi.getter(name="userSession") def user_session(self) -> pulumi.Output[bool]: """ - Is Attribute Related To a User Session + Is Attribute related to a User Session. """ return pulumi.get(self, "user_session") diff --git a/sdk/python/pulumi_keycloak/hardcoded_role_identity_mapper.py b/sdk/python/pulumi_keycloak/hardcoded_role_identity_mapper.py index 053a9b31..d9ac13f1 100644 --- a/sdk/python/pulumi_keycloak/hardcoded_role_identity_mapper.py +++ b/sdk/python/pulumi_keycloak/hardcoded_role_identity_mapper.py @@ -21,10 +21,10 @@ def __init__(__self__, *, role: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a HardcodedRoleIdentityMapper resource. - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] role: Role Name + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. """ pulumi.set(__self__, "identity_provider_alias", identity_provider_alias) pulumi.set(__self__, "realm", realm) @@ -39,7 +39,7 @@ def __init__(__self__, *, @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Input[str]: """ - IDP Alias + The IDP alias of the attribute to set. """ return pulumi.get(self, "identity_provider_alias") @@ -51,7 +51,7 @@ def identity_provider_alias(self, value: pulumi.Input[str]): @pulumi.getter def realm(self) -> pulumi.Input[str]: """ - Realm Name + The realm ID that this mapper will exist in. """ return pulumi.get(self, "realm") @@ -72,7 +72,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -84,7 +84,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def role(self) -> Optional[pulumi.Input[str]]: """ - Role Name + The name of the role which should be assigned to the users. """ return pulumi.get(self, "role") @@ -103,10 +103,10 @@ def __init__(__self__, *, role: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering HardcodedRoleIdentityMapper resources. - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] role: Role Name + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. """ if extra_config is not None: pulumi.set(__self__, "extra_config", extra_config) @@ -132,7 +132,7 @@ def extra_config(self, value: Optional[pulumi.Input[Mapping[str, Any]]]): @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> Optional[pulumi.Input[str]]: """ - IDP Alias + The IDP alias of the attribute to set. """ return pulumi.get(self, "identity_provider_alias") @@ -144,7 +144,7 @@ def identity_provider_alias(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - IDP Mapper Name + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -156,7 +156,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def realm(self) -> Optional[pulumi.Input[str]]: """ - Realm Name + The realm ID that this mapper will exist in. """ return pulumi.get(self, "realm") @@ -168,7 +168,7 @@ def realm(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def role(self) -> Optional[pulumi.Input[str]]: """ - Role Name + The name of the role which should be assigned to the users. """ return pulumi.get(self, "role") @@ -189,13 +189,44 @@ def __init__(__self__, role: Optional[pulumi.Input[str]] = None, __props__=None): """ - Create a HardcodedRoleIdentityMapper resource with the given unique name, props, and options. + Allows for creating and managing hardcoded role mappers for Keycloak identity provider. + + The identity provider hardcoded role mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + oidc_identity_provider = keycloak.oidc.IdentityProvider("oidcIdentityProvider", + realm=realm.id, + alias="my-idp", + authorization_url="https://authorizationurl.com", + client_id="clientID", + client_secret="clientSecret", + token_url="https://tokenurl.com") + realm_role = keycloak.Role("realmRole", + realm_id=realm.id, + description="My Realm Role") + oidc_hardcoded_role_identity_mapper = keycloak.HardcodedRoleIdentityMapper("oidcHardcodedRoleIdentityMapper", + realm=realm.id, + identity_provider_alias=oidc_identity_provider.alias, + role="my-realm-role", + extra_config={ + "syncMode": "INHERIT", + }) + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] role: Role Name + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. """ ... @overload @@ -204,7 +235,38 @@ def __init__(__self__, args: HardcodedRoleIdentityMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a HardcodedRoleIdentityMapper resource with the given unique name, props, and options. + Allows for creating and managing hardcoded role mappers for Keycloak identity provider. + + The identity provider hardcoded role mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + oidc_identity_provider = keycloak.oidc.IdentityProvider("oidcIdentityProvider", + realm=realm.id, + alias="my-idp", + authorization_url="https://authorizationurl.com", + client_id="clientID", + client_secret="clientSecret", + token_url="https://tokenurl.com") + realm_role = keycloak.Role("realmRole", + realm_id=realm.id, + description="My Realm Role") + oidc_hardcoded_role_identity_mapper = keycloak.HardcodedRoleIdentityMapper("oidcHardcodedRoleIdentityMapper", + realm=realm.id, + identity_provider_alias=oidc_identity_provider.alias, + role="my-realm-role", + extra_config={ + "syncMode": "INHERIT", + }) + ``` + :param str resource_name: The name of the resource. :param HardcodedRoleIdentityMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -265,10 +327,10 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] identity_provider_alias: IDP Alias - :param pulumi.Input[str] name: IDP Mapper Name - :param pulumi.Input[str] realm: Realm Name - :param pulumi.Input[str] role: Role Name + :param pulumi.Input[str] identity_provider_alias: The IDP alias of the attribute to set. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm: The realm ID that this mapper will exist in. + :param pulumi.Input[str] role: The name of the role which should be assigned to the users. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -290,7 +352,7 @@ def extra_config(self) -> pulumi.Output[Optional[Mapping[str, Any]]]: @pulumi.getter(name="identityProviderAlias") def identity_provider_alias(self) -> pulumi.Output[str]: """ - IDP Alias + The IDP alias of the attribute to set. """ return pulumi.get(self, "identity_provider_alias") @@ -298,7 +360,7 @@ def identity_provider_alias(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - IDP Mapper Name + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -306,7 +368,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter def realm(self) -> pulumi.Output[str]: """ - Realm Name + The realm ID that this mapper will exist in. """ return pulumi.get(self, "realm") @@ -314,7 +376,7 @@ def realm(self) -> pulumi.Output[str]: @pulumi.getter def role(self) -> pulumi.Output[Optional[str]]: """ - Role Name + The name of the role which should be assigned to the users. """ return pulumi.get(self, "role") diff --git a/sdk/python/pulumi_keycloak/ldap/hardcoded_group_mapper.py b/sdk/python/pulumi_keycloak/ldap/hardcoded_group_mapper.py index 739b19bc..b835eb6e 100644 --- a/sdk/python/pulumi_keycloak/ldap/hardcoded_group_mapper.py +++ b/sdk/python/pulumi_keycloak/ldap/hardcoded_group_mapper.py @@ -20,10 +20,10 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a HardcodedGroupMapper resource. - :param pulumi.Input[str] group: Group to grant to user. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. + :param pulumi.Input[str] group: The name of the group which should be assigned to the users. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. """ pulumi.set(__self__, "group", group) pulumi.set(__self__, "ldap_user_federation_id", ldap_user_federation_id) @@ -35,7 +35,7 @@ def __init__(__self__, *, @pulumi.getter def group(self) -> pulumi.Input[str]: """ - Group to grant to user. + The name of the group which should be assigned to the users. """ return pulumi.get(self, "group") @@ -47,7 +47,7 @@ def group(self, value: pulumi.Input[str]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Input[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -59,7 +59,7 @@ def ldap_user_federation_id(self, value: pulumi.Input[str]): @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -71,7 +71,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -89,10 +89,10 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering HardcodedGroupMapper resources. - :param pulumi.Input[str] group: Group to grant to user. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[str] group: The name of the group which should be assigned to the users. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. """ if group is not None: pulumi.set(__self__, "group", group) @@ -107,7 +107,7 @@ def __init__(__self__, *, @pulumi.getter def group(self) -> Optional[pulumi.Input[str]]: """ - Group to grant to user. + The name of the group which should be assigned to the users. """ return pulumi.get(self, "group") @@ -119,7 +119,7 @@ def group(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> Optional[pulumi.Input[str]]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -131,7 +131,7 @@ def ldap_user_federation_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -143,7 +143,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") @@ -163,13 +163,53 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - Create a HardcodedGroupMapper resource with the given unique name, props, and options. + Allows for creating and managing hardcoded group mappers for Keycloak users federated via LDAP. + + The LDAP hardcoded group mapper will grant a specified Keycloak group to each Keycloak user linked with LDAP. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation", + realm_id=realm.id, + username_ldap_attribute="cn", + rdn_ldap_attribute="cn", + uuid_ldap_attribute="entryDN", + user_object_classes=[ + "simpleSecurityObject", + "organizationalRole", + ], + connection_url="ldap://openldap", + users_dn="dc=example,dc=org", + bind_dn="cn=admin,dc=example,dc=org", + bind_credential="admin") + realm_group = keycloak.Group("realmGroup", realm_id=realm.id) + assign_group_to_users = keycloak.ldap.HardcodedGroupMapper("assignGroupToUsers", + realm_id=realm.id, + ldap_user_federation_id=ldap_user_federation.id, + group=realm_group.name) + ``` + + ## Import + + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash + + ```sh + $ pulumi import keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper assign_group_to_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] group: Group to grant to user. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[str] group: The name of the group which should be assigned to the users. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. """ ... @overload @@ -178,7 +218,47 @@ def __init__(__self__, args: HardcodedGroupMapperArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a HardcodedGroupMapper resource with the given unique name, props, and options. + Allows for creating and managing hardcoded group mappers for Keycloak users federated via LDAP. + + The LDAP hardcoded group mapper will grant a specified Keycloak group to each Keycloak user linked with LDAP. + + ## Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + ldap_user_federation = keycloak.ldap.UserFederation("ldapUserFederation", + realm_id=realm.id, + username_ldap_attribute="cn", + rdn_ldap_attribute="cn", + uuid_ldap_attribute="entryDN", + user_object_classes=[ + "simpleSecurityObject", + "organizationalRole", + ], + connection_url="ldap://openldap", + users_dn="dc=example,dc=org", + bind_dn="cn=admin,dc=example,dc=org", + bind_credential="admin") + realm_group = keycloak.Group("realmGroup", realm_id=realm.id) + assign_group_to_users = keycloak.ldap.HardcodedGroupMapper("assignGroupToUsers", + realm_id=realm.id, + ldap_user_federation_id=ldap_user_federation.id, + group=realm_group.name) + ``` + + ## Import + + LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. The ID of the LDAP user federation provider and the mapper can be found within the Keycloak GUI, and they are typically GUIDs. Examplebash + + ```sh + $ pulumi import keycloak:ldap/hardcodedGroupMapper:HardcodedGroupMapper assign_group_to_users my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 + ``` + :param str resource_name: The name of the resource. :param HardcodedGroupMapperArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -238,10 +318,10 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] group: Group to grant to user. - :param pulumi.Input[str] ldap_user_federation_id: The ldap user federation provider to attach this mapper to. - :param pulumi.Input[str] name: Display name of the mapper when displayed in the console. - :param pulumi.Input[str] realm_id: The realm in which the ldap user federation provider exists. + :param pulumi.Input[str] group: The name of the group which should be assigned to the users. + :param pulumi.Input[str] ldap_user_federation_id: The ID of the LDAP user federation provider to attach this mapper to. + :param pulumi.Input[str] name: Display name of this mapper when displayed in the console. + :param pulumi.Input[str] realm_id: The realm that this LDAP mapper will exist in. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -257,7 +337,7 @@ def get(resource_name: str, @pulumi.getter def group(self) -> pulumi.Output[str]: """ - Group to grant to user. + The name of the group which should be assigned to the users. """ return pulumi.get(self, "group") @@ -265,7 +345,7 @@ def group(self) -> pulumi.Output[str]: @pulumi.getter(name="ldapUserFederationId") def ldap_user_federation_id(self) -> pulumi.Output[str]: """ - The ldap user federation provider to attach this mapper to. + The ID of the LDAP user federation provider to attach this mapper to. """ return pulumi.get(self, "ldap_user_federation_id") @@ -273,7 +353,7 @@ def ldap_user_federation_id(self) -> pulumi.Output[str]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - Display name of the mapper when displayed in the console. + Display name of this mapper when displayed in the console. """ return pulumi.get(self, "name") @@ -281,7 +361,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm in which the ldap user federation provider exists. + The realm that this LDAP mapper will exist in. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/__init__.py b/sdk/python/pulumi_keycloak/openid/__init__.py index 7d49f9c9..a7bd0e3a 100644 --- a/sdk/python/pulumi_keycloak/openid/__init__.py +++ b/sdk/python/pulumi_keycloak/openid/__init__.py @@ -6,6 +6,7 @@ import typing # Export this package's modules as members: from .audience_protocol_mapper import * +from .audience_resolve_protocol_mapper import * from .audience_resolve_protocol_mappter import * from .client import * from .client_aggregate_policy import * diff --git a/sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mapper.py b/sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mapper.py new file mode 100644 index 00000000..c752fb8a --- /dev/null +++ b/sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mapper.py @@ -0,0 +1,391 @@ +# coding=utf-8 +# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** +# *** Do not edit by hand unless you're certain you know what you are doing! *** + +import copy +import warnings +import pulumi +import pulumi.runtime +from typing import Any, Mapping, Optional, Sequence, Union, overload +from .. import _utilities + +__all__ = ['AudienceResolveProtocolMapperArgs', 'AudienceResolveProtocolMapper'] + +@pulumi.input_type +class AudienceResolveProtocolMapperArgs: + def __init__(__self__, *, + realm_id: pulumi.Input[str], + client_id: Optional[pulumi.Input[str]] = None, + client_scope_id: Optional[pulumi.Input[str]] = None, + name: Optional[pulumi.Input[str]] = None): + """ + The set of arguments for constructing a AudienceResolveProtocolMapper resource. + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + """ + pulumi.set(__self__, "realm_id", realm_id) + if client_id is not None: + pulumi.set(__self__, "client_id", client_id) + if client_scope_id is not None: + pulumi.set(__self__, "client_scope_id", client_scope_id) + if name is not None: + pulumi.set(__self__, "name", name) + + @property + @pulumi.getter(name="realmId") + def realm_id(self) -> pulumi.Input[str]: + """ + The realm this protocol mapper exists within. + """ + return pulumi.get(self, "realm_id") + + @realm_id.setter + def realm_id(self, value: pulumi.Input[str]): + pulumi.set(self, "realm_id", value) + + @property + @pulumi.getter(name="clientId") + def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ + return pulumi.get(self, "client_id") + + @client_id.setter + def client_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "client_id", value) + + @property + @pulumi.getter(name="clientScopeId") + def client_scope_id(self) -> Optional[pulumi.Input[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ + return pulumi.get(self, "client_scope_id") + + @client_scope_id.setter + def client_scope_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "client_scope_id", value) + + @property + @pulumi.getter + def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + """ + return pulumi.get(self, "name") + + @name.setter + def name(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "name", value) + + +@pulumi.input_type +class _AudienceResolveProtocolMapperState: + def __init__(__self__, *, + client_id: Optional[pulumi.Input[str]] = None, + client_scope_id: Optional[pulumi.Input[str]] = None, + name: Optional[pulumi.Input[str]] = None, + realm_id: Optional[pulumi.Input[str]] = None): + """ + Input properties used for looking up and filtering AudienceResolveProtocolMapper resources. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + """ + if client_id is not None: + pulumi.set(__self__, "client_id", client_id) + if client_scope_id is not None: + pulumi.set(__self__, "client_scope_id", client_scope_id) + if name is not None: + pulumi.set(__self__, "name", name) + if realm_id is not None: + pulumi.set(__self__, "realm_id", realm_id) + + @property + @pulumi.getter(name="clientId") + def client_id(self) -> Optional[pulumi.Input[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ + return pulumi.get(self, "client_id") + + @client_id.setter + def client_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "client_id", value) + + @property + @pulumi.getter(name="clientScopeId") + def client_scope_id(self) -> Optional[pulumi.Input[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ + return pulumi.get(self, "client_scope_id") + + @client_scope_id.setter + def client_scope_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "client_scope_id", value) + + @property + @pulumi.getter + def name(self) -> Optional[pulumi.Input[str]]: + """ + The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + """ + return pulumi.get(self, "name") + + @name.setter + def name(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "name", value) + + @property + @pulumi.getter(name="realmId") + def realm_id(self) -> Optional[pulumi.Input[str]]: + """ + The realm this protocol mapper exists within. + """ + return pulumi.get(self, "realm_id") + + @realm_id.setter + def realm_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "realm_id", value) + + +class AudienceResolveProtocolMapper(pulumi.CustomResource): + @overload + def __init__(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + client_id: Optional[pulumi.Input[str]] = None, + client_scope_id: Optional[pulumi.Input[str]] = None, + name: Optional[pulumi.Input[str]] = None, + realm_id: Optional[pulumi.Input[str]] = None, + __props__=None): + """ + Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. + + This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles + to imply which audiences are appropriate for the token. See the + [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. + + ## Example Usage + ### Client) + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + openid_client = keycloak.openid.Client("openidClient", + realm_id=realm.id, + client_id="client", + enabled=True, + access_type="CONFIDENTIAL", + valid_redirect_uris=["http://localhost:8080/openid-callback"]) + audience_mapper = keycloak.openid.AudienceResolveProtocolMapper("audienceMapper", + realm_id=realm.id, + client_id=openid_client.id) + ``` + ### Client Scope) + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + client_scope = keycloak.openid.ClientScope("clientScope", realm_id=realm.id) + audience_mapper = keycloak.openid.AudienceProtocolMapper("audienceMapper", + realm_id=realm.id, + client_scope_id=client_scope.id) + ``` + + ## Import + + Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash + + ```sh + $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + :param str resource_name: The name of the resource. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + """ + ... + @overload + def __init__(__self__, + resource_name: str, + args: AudienceResolveProtocolMapperArgs, + opts: Optional[pulumi.ResourceOptions] = None): + """ + Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. + + This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles + to imply which audiences are appropriate for the token. See the + [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. + + ## Example Usage + ### Client) + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + openid_client = keycloak.openid.Client("openidClient", + realm_id=realm.id, + client_id="client", + enabled=True, + access_type="CONFIDENTIAL", + valid_redirect_uris=["http://localhost:8080/openid-callback"]) + audience_mapper = keycloak.openid.AudienceResolveProtocolMapper("audienceMapper", + realm_id=realm.id, + client_id=openid_client.id) + ``` + ### Client Scope) + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + client_scope = keycloak.openid.ClientScope("clientScope", realm_id=realm.id) + audience_mapper = keycloak.openid.AudienceProtocolMapper("audienceMapper", + realm_id=realm.id, + client_scope_id=client_scope.id) + ``` + + ## Import + + Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash + + ```sh + $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + ```sh + $ pulumi import keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 + ``` + + :param str resource_name: The name of the resource. + :param AudienceResolveProtocolMapperArgs args: The arguments to use to populate this resource's properties. + :param pulumi.ResourceOptions opts: Options for the resource. + """ + ... + def __init__(__self__, resource_name: str, *args, **kwargs): + resource_args, opts = _utilities.get_resource_args_opts(AudienceResolveProtocolMapperArgs, pulumi.ResourceOptions, *args, **kwargs) + if resource_args is not None: + __self__._internal_init(resource_name, opts, **resource_args.__dict__) + else: + __self__._internal_init(resource_name, *args, **kwargs) + + def _internal_init(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + client_id: Optional[pulumi.Input[str]] = None, + client_scope_id: Optional[pulumi.Input[str]] = None, + name: Optional[pulumi.Input[str]] = None, + realm_id: Optional[pulumi.Input[str]] = None, + __props__=None): + opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) + if not isinstance(opts, pulumi.ResourceOptions): + raise TypeError('Expected resource options to be a ResourceOptions instance') + if opts.id is None: + if __props__ is not None: + raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource') + __props__ = AudienceResolveProtocolMapperArgs.__new__(AudienceResolveProtocolMapperArgs) + + __props__.__dict__["client_id"] = client_id + __props__.__dict__["client_scope_id"] = client_scope_id + __props__.__dict__["name"] = name + if realm_id is None and not opts.urn: + raise TypeError("Missing required property 'realm_id'") + __props__.__dict__["realm_id"] = realm_id + alias_opts = pulumi.ResourceOptions(aliases=[pulumi.Alias(type_="keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter")]) + opts = pulumi.ResourceOptions.merge(opts, alias_opts) + super(AudienceResolveProtocolMapper, __self__).__init__( + 'keycloak:openid/audienceResolveProtocolMapper:AudienceResolveProtocolMapper', + resource_name, + __props__, + opts) + + @staticmethod + def get(resource_name: str, + id: pulumi.Input[str], + opts: Optional[pulumi.ResourceOptions] = None, + client_id: Optional[pulumi.Input[str]] = None, + client_scope_id: Optional[pulumi.Input[str]] = None, + name: Optional[pulumi.Input[str]] = None, + realm_id: Optional[pulumi.Input[str]] = None) -> 'AudienceResolveProtocolMapper': + """ + Get an existing AudienceResolveProtocolMapper resource's state with the given name, id, and optional extra + properties used to qualify the lookup. + + :param str resource_name: The unique name of the resulting resource. + :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + """ + opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) + + __props__ = _AudienceResolveProtocolMapperState.__new__(_AudienceResolveProtocolMapperState) + + __props__.__dict__["client_id"] = client_id + __props__.__dict__["client_scope_id"] = client_scope_id + __props__.__dict__["name"] = name + __props__.__dict__["realm_id"] = realm_id + return AudienceResolveProtocolMapper(resource_name, opts=opts, __props__=__props__) + + @property + @pulumi.getter(name="clientId") + def client_id(self) -> pulumi.Output[Optional[str]]: + """ + The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + """ + return pulumi.get(self, "client_id") + + @property + @pulumi.getter(name="clientScopeId") + def client_scope_id(self) -> pulumi.Output[Optional[str]]: + """ + The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + """ + return pulumi.get(self, "client_scope_id") + + @property + @pulumi.getter + def name(self) -> pulumi.Output[str]: + """ + The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + """ + return pulumi.get(self, "name") + + @property + @pulumi.getter(name="realmId") + def realm_id(self) -> pulumi.Output[str]: + """ + The realm this protocol mapper exists within. + """ + return pulumi.get(self, "realm_id") + diff --git a/sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mappter.py b/sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mappter.py index 459e8d3e..136f890d 100644 --- a/sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mappter.py +++ b/sdk/python/pulumi_keycloak/openid/audience_resolve_protocol_mappter.py @@ -20,10 +20,10 @@ def __init__(__self__, *, name: Optional[pulumi.Input[str]] = None): """ The set of arguments for constructing a AudienceResolveProtocolMappter resource. - :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. - :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. + :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. + :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. """ pulumi.set(__self__, "realm_id", realm_id) if client_id is not None: @@ -37,7 +37,7 @@ def __init__(__self__, *, @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Input[str]: """ - The realm this protocol mapper exists within. + The realm id where the associated client or client scope exists. """ return pulumi.get(self, "realm_id") @@ -49,7 +49,7 @@ def realm_id(self, value: pulumi.Input[str]): @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + The mapper's associated client. Cannot be used at the same time as client_scope_id. """ return pulumi.get(self, "client_id") @@ -61,7 +61,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + The mapper's associated client scope. Cannot be used at the same time as client_id. """ return pulumi.get(self, "client_scope_id") @@ -73,7 +73,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + A human-friendly name that will appear in the Keycloak console. """ return pulumi.get(self, "name") @@ -91,10 +91,10 @@ def __init__(__self__, *, realm_id: Optional[pulumi.Input[str]] = None): """ Input properties used for looking up and filtering AudienceResolveProtocolMappter resources. - :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". - :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. + :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. """ if client_id is not None: pulumi.set(__self__, "client_id", client_id) @@ -109,7 +109,7 @@ def __init__(__self__, *, @pulumi.getter(name="clientId") def client_id(self) -> Optional[pulumi.Input[str]]: """ - The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + The mapper's associated client. Cannot be used at the same time as client_scope_id. """ return pulumi.get(self, "client_id") @@ -121,7 +121,7 @@ def client_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> Optional[pulumi.Input[str]]: """ - The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + The mapper's associated client scope. Cannot be used at the same time as client_id. """ return pulumi.get(self, "client_scope_id") @@ -133,7 +133,7 @@ def client_scope_id(self, value: Optional[pulumi.Input[str]]): @pulumi.getter def name(self) -> Optional[pulumi.Input[str]]: """ - The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + A human-friendly name that will appear in the Keycloak console. """ return pulumi.get(self, "name") @@ -145,7 +145,7 @@ def name(self, value: Optional[pulumi.Input[str]]): @pulumi.getter(name="realmId") def realm_id(self) -> Optional[pulumi.Input[str]]: """ - The realm this protocol mapper exists within. + The realm id where the associated client or client scope exists. """ return pulumi.get(self, "realm_id") @@ -154,7 +154,12 @@ def realm_id(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "realm_id", value) +warnings.warn("""keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper""", DeprecationWarning) + + class AudienceResolveProtocolMappter(pulumi.CustomResource): + warnings.warn("""keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper""", DeprecationWarning) + @overload def __init__(__self__, resource_name: str, @@ -165,65 +170,13 @@ def __init__(__self__, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): """ - Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. - - This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles - to imply which audiences are appropriate for the token. See the - [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. - - ## Example Usage - ### Client) - - ```python - import pulumi - import pulumi_keycloak as keycloak - - realm = keycloak.Realm("realm", - realm="my-realm", - enabled=True) - openid_client = keycloak.openid.Client("openidClient", - realm_id=realm.id, - client_id="client", - enabled=True, - access_type="CONFIDENTIAL", - valid_redirect_uris=["http://localhost:8080/openid-callback"]) - audience_mapper = keycloak.openid.AudienceResolveProtocolMappter("audienceMapper", - realm_id=realm.id, - client_id=openid_client.id) - ``` - ### Client Scope) - - ```python - import pulumi - import pulumi_keycloak as keycloak - - realm = keycloak.Realm("realm", - realm="my-realm", - enabled=True) - client_scope = keycloak.openid.ClientScope("clientScope", realm_id=realm.id) - audience_mapper = keycloak.openid.AudienceProtocolMapper("audienceMapper", - realm_id=realm.id, - client_scope_id=client_scope.id) - ``` - - ## Import - - Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash - - ```sh - $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - ``` - - ```sh - $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - ``` - + Create a AudienceResolveProtocolMappter resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". - :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. + :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. """ ... @overload @@ -232,59 +185,7 @@ def __init__(__self__, args: AudienceResolveProtocolMappterArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Allows for creating the "Audience Resolve" OIDC protocol mapper within Keycloak. - - This protocol mapper is useful to avoid manual management of audiences, instead relying on the presence of client roles - to imply which audiences are appropriate for the token. See the - [Keycloak docs](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) for more details. - - ## Example Usage - ### Client) - - ```python - import pulumi - import pulumi_keycloak as keycloak - - realm = keycloak.Realm("realm", - realm="my-realm", - enabled=True) - openid_client = keycloak.openid.Client("openidClient", - realm_id=realm.id, - client_id="client", - enabled=True, - access_type="CONFIDENTIAL", - valid_redirect_uris=["http://localhost:8080/openid-callback"]) - audience_mapper = keycloak.openid.AudienceResolveProtocolMappter("audienceMapper", - realm_id=realm.id, - client_id=openid_client.id) - ``` - ### Client Scope) - - ```python - import pulumi - import pulumi_keycloak as keycloak - - realm = keycloak.Realm("realm", - realm="my-realm", - enabled=True) - client_scope = keycloak.openid.ClientScope("clientScope", realm_id=realm.id) - audience_mapper = keycloak.openid.AudienceProtocolMapper("audienceMapper", - realm_id=realm.id, - client_scope_id=client_scope.id) - ``` - - ## Import - - Protocol mappers can be imported using one of the following formats- Client`{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - Client Scope`{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` Examplebash - - ```sh - $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - ``` - - ```sh - $ pulumi import keycloak:openid/audienceResolveProtocolMappter:AudienceResolveProtocolMappter audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 - ``` - + Create a AudienceResolveProtocolMappter resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param AudienceResolveProtocolMappterArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. @@ -305,6 +206,7 @@ def _internal_init(__self__, name: Optional[pulumi.Input[str]] = None, realm_id: Optional[pulumi.Input[str]] = None, __props__=None): + pulumi.log.warn("""AudienceResolveProtocolMappter is deprecated: keycloak.openid/audienceresolveprotocolmappter.AudienceResolveProtocolMappter has been deprecated in favor of keycloak.openid/audienceresolveprotocolmapper.AudienceResolveProtocolMapper""") opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) if not isinstance(opts, pulumi.ResourceOptions): raise TypeError('Expected resource options to be a ResourceOptions instance') @@ -340,10 +242,10 @@ def get(resource_name: str, :param str resource_name: The unique name of the resulting resource. :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. - :param pulumi.Input[str] client_id: The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] client_scope_id: The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. - :param pulumi.Input[str] name: The display name of this protocol mapper in the GUI. Defaults to "audience resolve". - :param pulumi.Input[str] realm_id: The realm this protocol mapper exists within. + :param pulumi.Input[str] client_id: The mapper's associated client. Cannot be used at the same time as client_scope_id. + :param pulumi.Input[str] client_scope_id: The mapper's associated client scope. Cannot be used at the same time as client_id. + :param pulumi.Input[str] name: A human-friendly name that will appear in the Keycloak console. + :param pulumi.Input[str] realm_id: The realm id where the associated client or client scope exists. """ opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) @@ -359,7 +261,7 @@ def get(resource_name: str, @pulumi.getter(name="clientId") def client_id(self) -> pulumi.Output[Optional[str]]: """ - The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. + The mapper's associated client. Cannot be used at the same time as client_scope_id. """ return pulumi.get(self, "client_id") @@ -367,7 +269,7 @@ def client_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter(name="clientScopeId") def client_scope_id(self) -> pulumi.Output[Optional[str]]: """ - The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. + The mapper's associated client scope. Cannot be used at the same time as client_id. """ return pulumi.get(self, "client_scope_id") @@ -375,7 +277,7 @@ def client_scope_id(self) -> pulumi.Output[Optional[str]]: @pulumi.getter def name(self) -> pulumi.Output[str]: """ - The display name of this protocol mapper in the GUI. Defaults to "audience resolve". + A human-friendly name that will appear in the Keycloak console. """ return pulumi.get(self, "name") @@ -383,7 +285,7 @@ def name(self) -> pulumi.Output[str]: @pulumi.getter(name="realmId") def realm_id(self) -> pulumi.Output[str]: """ - The realm this protocol mapper exists within. + The realm id where the associated client or client scope exists. """ return pulumi.get(self, "realm_id") diff --git a/sdk/python/pulumi_keycloak/openid/client_authorization_permission.py b/sdk/python/pulumi_keycloak/openid/client_authorization_permission.py index 60826c7d..c7ad9cec 100644 --- a/sdk/python/pulumi_keycloak/openid/client_authorization_permission.py +++ b/sdk/python/pulumi_keycloak/openid/client_authorization_permission.py @@ -282,7 +282,73 @@ def __init__(__self__, type: Optional[pulumi.Input[str]] = None, __props__=None): """ - Create a ClientAuthorizationPermission resource with the given unique name, props, and options. + ## # openid.ClientAuthorizationPermission + + Allows you to manage openid Client Authorization Permissions. + + ### Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + test_client = keycloak.openid.Client("testClient", + client_id="client_id", + realm_id=realm.id, + access_type="CONFIDENTIAL", + service_accounts_enabled=True, + authorization=keycloak.openid.ClientAuthorizationArgs( + policy_enforcement_mode="ENFORCING", + )) + default = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id, + resource_server_id=test_client.resource_server_id, + name="default") + test_client_authorization_resource = keycloak.openid.ClientAuthorizationResource("testClientAuthorizationResource", + resource_server_id=test_client.resource_server_id, + realm_id=realm.id, + uris=["/endpoint/*"]) + test_client_authorization_scope = keycloak.openid.ClientAuthorizationScope("testClientAuthorizationScope", + resource_server_id=test_client.resource_server_id, + realm_id=realm.id) + test_client_authorization_permission = keycloak.openid.ClientAuthorizationPermission("testClientAuthorizationPermission", + resource_server_id=test_client.resource_server_id, + realm_id=realm.id, + policies=[default.id], + resources=[test_client_authorization_resource.id]) + ``` + + ### Argument Reference + + The following arguments are supported: + + - `realm_id` - (Required) The realm this group exists in. + - `resource_server_id` - (Required) The ID of the resource server. + - `name` - (Required) The name of the permission. + - `description` - (Optional) A description for the authorization permission. + - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`. + - `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission. + - `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resource_type`. + - `resource_type` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`. + - `scopes` - (Optional) A list of scope IDs that this permission must be applied to. + - `type` - (Optional) The type of permission, can be one of `resource` or `scope`. + + ### Attributes Reference + + In addition to the arguments listed above, the following computed attributes are exported: + + - `id` - Permission ID representing the permission. + + ## Import + + Client authorization permissions can be imported using the format`{{realmId}}/{{resourceServerId}}/{{permissionId}}`. Examplebash + + ```sh + $ pulumi import keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9 + ``` + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. """ @@ -293,7 +359,73 @@ def __init__(__self__, args: ClientAuthorizationPermissionArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a ClientAuthorizationPermission resource with the given unique name, props, and options. + ## # openid.ClientAuthorizationPermission + + Allows you to manage openid Client Authorization Permissions. + + ### Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", + realm="my-realm", + enabled=True) + test_client = keycloak.openid.Client("testClient", + client_id="client_id", + realm_id=realm.id, + access_type="CONFIDENTIAL", + service_accounts_enabled=True, + authorization=keycloak.openid.ClientAuthorizationArgs( + policy_enforcement_mode="ENFORCING", + )) + default = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id, + resource_server_id=test_client.resource_server_id, + name="default") + test_client_authorization_resource = keycloak.openid.ClientAuthorizationResource("testClientAuthorizationResource", + resource_server_id=test_client.resource_server_id, + realm_id=realm.id, + uris=["/endpoint/*"]) + test_client_authorization_scope = keycloak.openid.ClientAuthorizationScope("testClientAuthorizationScope", + resource_server_id=test_client.resource_server_id, + realm_id=realm.id) + test_client_authorization_permission = keycloak.openid.ClientAuthorizationPermission("testClientAuthorizationPermission", + resource_server_id=test_client.resource_server_id, + realm_id=realm.id, + policies=[default.id], + resources=[test_client_authorization_resource.id]) + ``` + + ### Argument Reference + + The following arguments are supported: + + - `realm_id` - (Required) The realm this group exists in. + - `resource_server_id` - (Required) The ID of the resource server. + - `name` - (Required) The name of the permission. + - `description` - (Optional) A description for the authorization permission. + - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. Defaults to `UNANIMOUS`. + - `policies` - (Optional) A list of policy IDs that must be applied to the scopes defined by this permission. + - `resources` - (Optional) A list of resource IDs that this permission must be applied to. Conflicts with `resource_type`. + - `resource_type` - (Optional) When specified, this permission will be evaluated for all instances of a given resource type. Conflicts with `resources`. + - `scopes` - (Optional) A list of scope IDs that this permission must be applied to. + - `type` - (Optional) The type of permission, can be one of `resource` or `scope`. + + ### Attributes Reference + + In addition to the arguments listed above, the following computed attributes are exported: + + - `id` - Permission ID representing the permission. + + ## Import + + Client authorization permissions can be imported using the format`{{realmId}}/{{resourceServerId}}/{{permissionId}}`. Examplebash + + ```sh + $ pulumi import keycloak:openid/clientAuthorizationPermission:ClientAuthorizationPermission test my-realm/3bd4a686-1062-4b59-97b8-e4e3f10b99da/63b3cde8-987d-4cd9-9306-1955579281d9 + ``` + :param str resource_name: The name of the resource. :param ClientAuthorizationPermissionArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. diff --git a/sdk/python/pulumi_keycloak/openid/client_permissions.py b/sdk/python/pulumi_keycloak/openid/client_permissions.py index e44c08bd..1782303f 100644 --- a/sdk/python/pulumi_keycloak/openid/client_permissions.py +++ b/sdk/python/pulumi_keycloak/openid/client_permissions.py @@ -287,7 +287,96 @@ def __init__(__self__, view_scope: Optional[pulumi.Input[pulumi.InputType['ClientPermissionsViewScopeArgs']]] = None, __props__=None): """ - Create a ClientPermissions resource with the given unique name, props, and options. + ## # openid.ClientPermissions + + Allows you to manage all openid client Scope Based Permissions. + + This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More + information about enabling the preview feature can be found + here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange + + When enabling Openid Client Permissions, Keycloak does several things automatically: + + 1. Enable Authorization on build-in realm-management client + 2. Create scopes "view", "manage", "configure", "map-roles", "map-roles-client-scope", "map-roles-composite", " + token-exchange" + 3. Create a resource representing the openid client + 4. Create all scope based permission for the scopes and openid client resource + + If the realm-management Authorization is not enable, you have to ceate a dependency (`depends_on`) with the policy and + the openid client. + + ### Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", realm="realm") + my_openid_client = keycloak.openid.Client("myOpenidClient", + realm_id=realm.id, + client_id="my_openid_client", + client_secret="secret", + access_type="CONFIDENTIAL", + standard_flow_enabled=True, + valid_redirect_uris=["http://localhost:8080/*"]) + realm_management = keycloak.openid.get_client_output(realm_id=realm.id, + client_id="realm-management") + test_user = keycloak.User("testUser", + realm_id=realm.id, + username="test-user", + email="test-user@fakedomain.com", + first_name="Testy", + last_name="Tester") + test_client_user_policy = keycloak.openid.ClientUserPolicy("testClientUserPolicy", + resource_server_id=realm_management.id, + realm_id=realm.id, + users=[test_user.id], + logic="POSITIVE", + decision_strategy="UNANIMOUS", + opts=pulumi.ResourceOptions(depends_on=[my_openid_client])) + my_permission = keycloak.openid.ClientPermissions("myPermission", + realm_id=realm.id, + client_id=my_openid_client.id, + view_scope=keycloak.openid.ClientPermissionsViewScopeArgs( + policies=[test_client_user_policy.id], + description="my description", + decision_strategy="UNANIMOUS", + )) + ``` + + ### Argument Reference + + The following arguments are supported: + + - `realm_id` - (Required) The realm this group exists in. + - `client_id` - (Required) The id of the client that provides the role. + + #### Permission Scopes + + Permission scopes can be defined using the following attributes: + + - `view_scope` + - `manage_scope` + - `configure_scope` + - `map_roles_scope` + - `map_roles_client_scope_scope` + - `map_roles_composite_scope` + - `token_exchange_scope` + + Each of these attributes have the following schema: + + - `policies` - (Optional) A list of policy IDs + - `description` - (Optional) A description for the permission scope + - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. + + ### Attributes Reference + + In addition to the arguments listed above, the following computed attributes are exported: + + - `authorization_resource_server_id` - Resource server id representing the realm management client on which this + permission is managed. + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. """ @@ -298,7 +387,96 @@ def __init__(__self__, args: ClientPermissionsArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a ClientPermissions resource with the given unique name, props, and options. + ## # openid.ClientPermissions + + Allows you to manage all openid client Scope Based Permissions. + + This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More + information about enabling the preview feature can be found + here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange + + When enabling Openid Client Permissions, Keycloak does several things automatically: + + 1. Enable Authorization on build-in realm-management client + 2. Create scopes "view", "manage", "configure", "map-roles", "map-roles-client-scope", "map-roles-composite", " + token-exchange" + 3. Create a resource representing the openid client + 4. Create all scope based permission for the scopes and openid client resource + + If the realm-management Authorization is not enable, you have to ceate a dependency (`depends_on`) with the policy and + the openid client. + + ### Example Usage + + ```python + import pulumi + import pulumi_keycloak as keycloak + + realm = keycloak.Realm("realm", realm="realm") + my_openid_client = keycloak.openid.Client("myOpenidClient", + realm_id=realm.id, + client_id="my_openid_client", + client_secret="secret", + access_type="CONFIDENTIAL", + standard_flow_enabled=True, + valid_redirect_uris=["http://localhost:8080/*"]) + realm_management = keycloak.openid.get_client_output(realm_id=realm.id, + client_id="realm-management") + test_user = keycloak.User("testUser", + realm_id=realm.id, + username="test-user", + email="test-user@fakedomain.com", + first_name="Testy", + last_name="Tester") + test_client_user_policy = keycloak.openid.ClientUserPolicy("testClientUserPolicy", + resource_server_id=realm_management.id, + realm_id=realm.id, + users=[test_user.id], + logic="POSITIVE", + decision_strategy="UNANIMOUS", + opts=pulumi.ResourceOptions(depends_on=[my_openid_client])) + my_permission = keycloak.openid.ClientPermissions("myPermission", + realm_id=realm.id, + client_id=my_openid_client.id, + view_scope=keycloak.openid.ClientPermissionsViewScopeArgs( + policies=[test_client_user_policy.id], + description="my description", + decision_strategy="UNANIMOUS", + )) + ``` + + ### Argument Reference + + The following arguments are supported: + + - `realm_id` - (Required) The realm this group exists in. + - `client_id` - (Required) The id of the client that provides the role. + + #### Permission Scopes + + Permission scopes can be defined using the following attributes: + + - `view_scope` + - `manage_scope` + - `configure_scope` + - `map_roles_scope` + - `map_roles_client_scope_scope` + - `map_roles_composite_scope` + - `token_exchange_scope` + + Each of these attributes have the following schema: + + - `policies` - (Optional) A list of policy IDs + - `description` - (Optional) A description for the permission scope + - `decision_strategy` - (Optional) The decision strategy, can be one of `UNANIMOUS`, `AFFIRMATIVE`, or `CONSENSUS`. + + ### Attributes Reference + + In addition to the arguments listed above, the following computed attributes are exported: + + - `authorization_resource_server_id` - Resource server id representing the realm management client on which this + permission is managed. + :param str resource_name: The name of the resource. :param ClientPermissionsArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. diff --git a/sdk/python/pulumi_keycloak/users_permissions.py b/sdk/python/pulumi_keycloak/users_permissions.py index 400d755b..b220059a 100644 --- a/sdk/python/pulumi_keycloak/users_permissions.py +++ b/sdk/python/pulumi_keycloak/users_permissions.py @@ -238,7 +238,35 @@ def __init__(__self__, view_scope: Optional[pulumi.Input[pulumi.InputType['UsersPermissionsViewScopeArgs']]] = None, __props__=None): """ - Create a UsersPermissions resource with the given unique name, props, and options. + ## Example Usage + ### Argument Reference + + The following arguments are supported: + + - `realm_id` - (Required) The realm in which to manage fine-grained user permissions. + + Each of the scopes that can be managed are defined below: + + - `view_scope` - (Optional) When specified, set the scope based view permission. + - `manage_scope` - (Optional) When specified, set the scope based manage permission. + - `map_roles_scope` - (Optional) When specified, set the scope based map_roles permission. + - `manage_group_membership_scope` - (Optional) When specified, set the scope based manage_group_membership permission. + - `impersonate_scope` - (Optional) When specified, set the scope based impersonate permission. + - `user_impersonated_scope` - (Optional) When specified, set the scope based user_impersonated permission. + + The configuration block for each of these scopes supports the following arguments: + + - `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. + - `description` - (Optional) Description of the permission. + - `decision_strategy` - (Optional) Decision strategy of the permission. + + ### Attributes Reference + + In addition to the arguments listed above, the following computed attributes are exported: + + - `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`. + - `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed. + :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. """ @@ -249,7 +277,35 @@ def __init__(__self__, args: UsersPermissionsArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - Create a UsersPermissions resource with the given unique name, props, and options. + ## Example Usage + ### Argument Reference + + The following arguments are supported: + + - `realm_id` - (Required) The realm in which to manage fine-grained user permissions. + + Each of the scopes that can be managed are defined below: + + - `view_scope` - (Optional) When specified, set the scope based view permission. + - `manage_scope` - (Optional) When specified, set the scope based manage permission. + - `map_roles_scope` - (Optional) When specified, set the scope based map_roles permission. + - `manage_group_membership_scope` - (Optional) When specified, set the scope based manage_group_membership permission. + - `impersonate_scope` - (Optional) When specified, set the scope based impersonate permission. + - `user_impersonated_scope` - (Optional) When specified, set the scope based user_impersonated permission. + + The configuration block for each of these scopes supports the following arguments: + + - `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. + - `description` - (Optional) Description of the permission. + - `decision_strategy` - (Optional) Decision strategy of the permission. + + ### Attributes Reference + + In addition to the arguments listed above, the following computed attributes are exported: + + - `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`. + - `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed. + :param str resource_name: The name of the resource. :param UsersPermissionsArgs args: The arguments to use to populate this resource's properties. :param pulumi.ResourceOptions opts: Options for the resource. diff --git a/upstream b/upstream new file mode 160000 index 00000000..bfee4d7c --- /dev/null +++ b/upstream @@ -0,0 +1 @@ +Subproject commit bfee4d7cd1591b015f4db84cce12bea36b6e871f