forked from mrparkers/terraform-provider-keycloak
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into mrparkersGH-424-Fix-local-development-envi…
…ronment
- Loading branch information
Showing
117 changed files
with
6,508 additions
and
5,572 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
--- | ||
page_title: "keycloak_openid_script_protocol_mapper Resource" | ||
--- | ||
|
||
# keycloak\_openid\_script\_protocol\_mapper Resource | ||
|
||
Allows for creating and managing script protocol mappers within Keycloak. | ||
|
||
Script protocol mappers evaluate a JavaScript function to produce a token claim based on context information. | ||
|
||
Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between | ||
multiple different clients. | ||
|
||
## Example Usage (Client) | ||
|
||
```hcl | ||
resource "keycloak_realm" "realm" { | ||
realm = "my-realm" | ||
enabled = true | ||
} | ||
resource "keycloak_openid_client" "openid_client" { | ||
realm_id = keycloak_realm.realm.id | ||
client_id = "client" | ||
name = "client" | ||
enabled = true | ||
access_type = "CONFIDENTIAL" | ||
valid_redirect_uris = [ | ||
"http://localhost:8080/openid-callback" | ||
] | ||
} | ||
resource "keycloak_openid_script_protocol_mapper" "script_mapper" { | ||
realm_id = keycloak_realm.realm.id | ||
client_id = keycloak_openid_client.openid_client.id | ||
name = "script-mapper" | ||
claim_name = "foo" | ||
script = "exports = 'foo';" | ||
} | ||
``` | ||
|
||
## Example Usage (Client Scope) | ||
|
||
```hcl | ||
resource "keycloak_realm" "realm" { | ||
realm = "my-realm" | ||
enabled = true | ||
} | ||
resource "keycloak_openid_client_scope" "client_scope" { | ||
realm_id = keycloak_realm.realm.id | ||
name = "client-scope" | ||
} | ||
resource "keycloak_openid_script_protocol_mapper" "script_mapper" { | ||
realm_id = keycloak_realm.realm.id | ||
client_scope_id = keycloak_openid_client_scope.client_scope.id | ||
name = "script-mapper" | ||
claim_name = "foo" | ||
script = "exports = 'foo';" | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
- `realm_id` - (Required) The realm this protocol mapper exists within. | ||
- `name` - (Required) The display name of this protocol mapper in the GUI. | ||
- `claim_name` - (Required) The name of the claim to insert into a token. | ||
- `script` - (Required) JavaScript code to compute the claim value. | ||
- `client_id` - (Optional) The client this protocol mapper should be attached to. Conflicts with `client_scope_id`. One of `client_id` or `client_scope_id` must be specified. | ||
- `client_scope_id` - (Optional) The client scope this protocol mapper should be attached to. Conflicts with `client_id`. One of `client_id` or `client_scope_id` must be specified. | ||
- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. | ||
- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. | ||
- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. | ||
- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. | ||
- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. | ||
|
||
## Import | ||
|
||
Protocol mappers can be imported using one of the following formats: | ||
- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` | ||
- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` | ||
|
||
Example: | ||
|
||
```bash | ||
$ terraform import keycloak_openid_script_protocol_mapper.script_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 | ||
$ terraform import keycloak_openid_script_protocol_mapper.script_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
--- | ||
page_title: "keycloak_users_permissions Resource" | ||
--- | ||
|
||
# keycloak_users_permissions | ||
|
||
Allows you to manage fine-grained permissions for all users in a realm: https://www.keycloak.org/docs/latest/server_admin/#_users-permissions | ||
|
||
This is part of a preview Keycloak feature: `admin_fine_grained_authz` (see https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions). | ||
This feature can be enabled with the Keycloak option `-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled`. See the | ||
example [`docker-compose.yml`](https://github.com/mrparkers/terraform-provider-keycloak/blob/898094df6b3e01c3404981ce7ca268142d6ff0e5/docker-compose.yml#L21) file for an example. | ||
|
||
When enabling fine-grained permissions for users, Keycloak does several things automatically: | ||
1. Enable Authorization on built-in `realm-management` client (if not already enabled). | ||
1. Create a resource representing the users permissions. | ||
1. Create scopes `view`, `manage`, `map-roles`, `manage-group-membership`, `impersonate`, and `user-impersonated`. | ||
1. Create all scope based permission for the scopes and users resources. | ||
|
||
~> This resource should only be created once per realm. | ||
|
||
## Example Usage | ||
|
||
```hcl | ||
resource "keycloak_realm" "realm" { | ||
realm = "my-realm" | ||
} | ||
data "keycloak_openid_client" "realm_management" { | ||
realm_id = keycloak_realm.realm.id | ||
client_id = "realm-management" | ||
} | ||
// enable permissions for realm-management client | ||
resource "keycloak_openid_client_permissions" "realm_management_permission" { | ||
realm_id = keycloak_realm.realm.id | ||
client_id = data.keycloak_openid_client.realm_management.id | ||
enabled = true | ||
} | ||
// creating a user to use with the keycloak_openid_client_user_policy resource | ||
resource "keycloak_user" "test" { | ||
realm_id = keycloak_realm.realm.id | ||
username = "test-user" | ||
email = "test-user@fakedomain.com" | ||
first_name = "Testy" | ||
last_name = "Tester" | ||
} | ||
resource "keycloak_openid_client_user_policy" "test" { | ||
realm_id = keycloak_realm.realm.id | ||
resource_server_id = "${data.keycloak_openid_client.realm_management.id}" | ||
name = "client_user_policy_test" | ||
users = [keycloak_user.test.id] | ||
logic = "POSITIVE" | ||
decision_strategy = "UNANIMOUS" | ||
depends_on = [ | ||
keycloak_openid_client_permissions.realm-management_permission, | ||
] | ||
} | ||
resource "keycloak_users_permissions" "users_permissions" { | ||
realm_id = keycloak_realm.realm.id | ||
view_scope { | ||
policies = [ | ||
keycloak_openid_client_user_policy.test.id | ||
] | ||
description = "description" | ||
decision_strategy = "UNANIMOUS" | ||
} | ||
manage_scope { | ||
policies = [ | ||
keycloak_openid_client_user_policy.test.id | ||
] | ||
description = "description" | ||
decision_strategy = "UNANIMOUS" | ||
} | ||
map_roles_scope { | ||
policies = [ | ||
keycloak_openid_client_user_policy.test.id | ||
] | ||
description = "description" | ||
decision_strategy = "UNANIMOUS" | ||
} | ||
manage_group_membership_scope { | ||
policies = [ | ||
keycloak_openid_client_user_policy.test.id | ||
] | ||
description = "description" | ||
decision_strategy = "UNANIMOUS" | ||
} | ||
impersonate_scope { | ||
policies = [ | ||
keycloak_openid_client_user_policy.test.id | ||
] | ||
description = "description" | ||
decision_strategy = "UNANIMOUS" | ||
} | ||
user_impersonated_scope { | ||
policies = [ | ||
keycloak_openid_client_user_policy.test.id | ||
] | ||
description = "description" | ||
decision_strategy = "UNANIMOUS" | ||
} | ||
} | ||
``` | ||
|
||
### Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
- `realm_id` - (Required) The realm in which to manage fine-grained user permissions. | ||
|
||
Each of the scopes that can be managed are defined below: | ||
|
||
- `view_scope` - (Optional) When specified, set the scope based view permission. | ||
- `manage_scope` - (Optional) When specified, set the scope based manage permission. | ||
- `map_roles_scope` - (Optional) When specified, set the scope based map_roles permission. | ||
- `manage_group_membership_scope` - (Optional) When specified, set the scope based manage_group_membership permission. | ||
- `impersonate_scope` - (Optional) When specified, set the scope based impersonate permission. | ||
- `user_impersonated_scope` - (Optional) When specified, set the scope based user_impersonated permission. | ||
|
||
The configuration block for each of these scopes supports the following arguments: | ||
|
||
- `policies` - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID. | ||
- `description` - (Optional) Description of the permission. | ||
- `decision_strategy` - (Optional) Decision strategy of the permission. | ||
|
||
### Attributes Reference | ||
|
||
In addition to the arguments listed above, the following computed attributes are exported: | ||
|
||
- `enabled` - When true, this indicates that fine-grained user permissions are enabled. This will always be `true`. | ||
- `authorization_resource_server_id` - Resource server id representing the realm management client on which these permissions are managed. | ||
|
Oops, something went wrong.