diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3fcd35527..1231e380b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -77,9 +77,9 @@ jobs: strategy: matrix: keycloak-version: - - '15.0.2' + - '16.1.1' + - '15.1.1' - '14.0.0' - - '13.0.1' fail-fast: false concurrency: group: ${{ github.head_ref }}-${{ matrix.keycloak-version }} diff --git a/README.md b/README.md index cfb005001..39bb65429 100644 --- a/README.md +++ b/README.md @@ -1,43 +1,30 @@ # terraform-provider-keycloak Terraform provider for [Keycloak](https://www.keycloak.org/). -[![CircleCI](https://circleci.com/gh/mrparkers/terraform-provider-keycloak.svg?style=shield)](https://circleci.com/gh/mrparkers/terraform-provider-keycloak) - ## Docs All documentation for this provider can now be found on the Terraform Registry: https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs ## Installation -v2.0.0 and above can be installed automatically using Terraform >=0.13 by using the `terraform` configuration block: +This provider can be installed automatically using Terraform >=0.13 by using the `terraform` configuration block: ```hcl terraform { required_providers { keycloak = { source = "mrparkers/keycloak" - version = ">= 2.0.0" + version = ">= 3.0.0" } } } ``` -If you are using v2.0.0 and above with Terraform 0.12, you can use this provider by downloading it and placing it within +If you are using Terraform 0.12, you can use this provider by downloading it and placing it within one of the [implied local mirror directories](https://www.terraform.io/docs/commands/cli-config.html#implied-local-mirror-directories). Or, follow the [old instructions for installing third-party plugins](https://www.terraform.io/docs/configuration-0-11/providers.html#third-party-plugins). -If you are using any version below v2.0.0, you can also follow the [old instructions for installing third-party plugins](https://www.terraform.io/docs/configuration-0-11/providers.html#third-party-plugins). - -## Upgrade from terraform 0.12 and keycloak provider 1.x - -Please read https://www.terraform.io/upgrade-guides/0-13.html first. For a keycloak project follow the following steps in order: - -1. `terraform -v` should print 0.13 and list no keycloak provider -1. `terraform state replace-provider registry.terraform.io/-/keycloak mrparkers/keycloak` -1. find all `provider keycloak {...}` blocks in `*.tf` (also in all modules you are including) and delete the `version` line -1. add the `terraform { required_provides { keycloak = { ...` block mentioned in "Installation" to `terraform.tf` (also in all module directories you are including). Be sure to also always add "source" or else the Terraform looks for "hashicorp/keycloak"! -1. `terraform 0.13upgrade` -1. `terraform init` +If you are using any provider version below v2.0.0, you can also follow the [old instructions for installing third-party plugins](https://www.terraform.io/docs/configuration-0-11/providers.html#third-party-plugins). ## Supported Versions @@ -45,9 +32,9 @@ This provider will officially support the latest three major versions of Keycloa The following versions are used when running acceptance tests in CI: -- 15.0.2 (latest) +- 16.1.1 (latest) +- 15.1.1 - 14.0.0 -- 13.0.1 ## Releases @@ -61,7 +48,7 @@ created by a PGP key with the fingerprint `C508 6791 5E11 6CD2`. This key can be You can find the list of releases [here](https://github.com/mrparkers/terraform-provider-keycloak/releases). You can find the changelog for each version [here](https://github.com/mrparkers/terraform-provider-keycloak/blob/master/CHANGELOG.md). -Note: Prior to 2.0.0, a statically linked build for use within Alpine linux was included with each release. This is no longer +Note: Prior to v2.0.0, a statically linked build for use within Alpine linux was included with each release. This is no longer done due to [GoReleaser not supporting CGO](https://goreleaser.com/limitations/cgo/). Instead of using a statically linked, build you can use the `linux_amd64` build as long as `libc6-compat` is installed. diff --git a/custom-user-federation-example/build.gradle b/custom-user-federation-example/build.gradle index 62f6260f0..c5b50bbc7 100644 --- a/custom-user-federation-example/build.gradle +++ b/custom-user-federation-example/build.gradle @@ -1,6 +1,6 @@ buildscript { ext.kotlinVersion = '1.3.31' - ext.keycloakVersion = '15.0.2' + ext.keycloakVersion = '16.1.1' ext.shadowJarVersion = '4.0.2' repositories { diff --git a/docker-compose.yml b/docker-compose.yml index 0616c0f65..08cc292c9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,7 +17,7 @@ services: ports: - 8389:389 keycloak: - image: jboss/keycloak:15.0.2 + image: jboss/keycloak:16.1.1 command: -b 0.0.0.0 -Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled depends_on: - postgres diff --git a/docs-old/data_sources/keycloak_group.md b/docs-old/data_sources/keycloak_group.md deleted file mode 100644 index 1045ddede..000000000 --- a/docs-old/data_sources/keycloak_group.md +++ /dev/null @@ -1,47 +0,0 @@ -# keycloak_group data source - -This data source can be used to fetch properties of a Keycloak group for -usage with other resources, such as `keycloak_group_roles`. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -data "keycloak_role" "offline_access" { - realm_id = keycloak_realm.realm.id - name = "offline_access" -} - -data "keycloak_group" "group" { - realm_id = keycloak_realm.realm.id - name = "group" -} - -resource "keycloak_group_roles" "group_roles" { - realm_id = keycloak_realm.realm.id - group_id = data.keycloak_group.group.id - - role_ids = [ - data.keycloak_role.offline_access.id - ] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this group exists within. -- `name` - (Required) The name of the group. If there are multiple groups match `name`, it will return the first one it found. - -### Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - -- `id` - The unique ID of the group, which can be used as an argument to - other resources supported by this provider. - diff --git a/docs-old/data_sources/keycloak_openid_client.md b/docs-old/data_sources/keycloak_openid_client.md deleted file mode 100644 index bd38e9ec0..000000000 --- a/docs-old/data_sources/keycloak_openid_client.md +++ /dev/null @@ -1,30 +0,0 @@ -# keycloak_openid_client data source - -This data source can be used to fetch properties of a Keycloak OpenID client for usage with other resources. - -### Example Usage - -```hcl -data "keycloak_openid_client" "realm_management" { - realm_id = "my-realm" - client_id = "realm-management" -} - -# use the data source -data "keycloak_role" "admin" { - realm_id = "my-realm" - client_id = data.keycloak_openid_client.realm_management.id - name = "realm-admin" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm id. -- `client_id` - (Required) The client id. - -### Attributes Reference - -See the docs for the [`keycloak_openid_client` resource](../resources/keycloak_openid_client.md) for details on the exported attributes. diff --git a/docs-old/data_sources/keycloak_realm.md b/docs-old/data_sources/keycloak_realm.md deleted file mode 100644 index 05ad51104..000000000 --- a/docs-old/data_sources/keycloak_realm.md +++ /dev/null @@ -1,30 +0,0 @@ -# keycloak_realm data source - -This data source can be used to fetch properties of a Keycloak realm for -usage with other resources. - -### Example Usage - -```hcl -data "keycloak_realm" "realm" { - realm = "my-realm" -} - -# use the data source - -resource "keycloak_role" "group" { - realm_id = data.keycloak_realm.realm.id - name = "group" -} - -``` - -### Argument Reference - -The following arguments are supported: - -- `realm` - (Required) The realm name. - -### Attributes Reference - -See the docs for the [`keycloak_realm` resource](../resources/keycloak_realm.md) for details on the exported attributes. diff --git a/docs-old/data_sources/keycloak_realm_keys.md b/docs-old/data_sources/keycloak_realm_keys.md deleted file mode 100644 index 50e41b329..000000000 --- a/docs-old/data_sources/keycloak_realm_keys.md +++ /dev/null @@ -1,38 +0,0 @@ -# keycloak_realm_keys data source - -Use this data source to get the keys of a realm. Keys can be filtered by algorithm and status. - -Remarks: - -- A key must meet all filter criteria -- This datasource may return more than one value. -- If no key matches the filter criteria, then an error is returned. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -data "keycloak_realm_keys" "keys" { - realm_id = keycloak_realm.realm - algorithms = ["AES", "RS256"] - status = ["ACTIVE", "PASSIVE"] -} - -# show certificate of first key: -output "certificate" { - value = data.keycloak_realm_keys.realm.keys[0].certificate -} - -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm of which the keys are retrieved. -- `algorithms` - (Optional) When specified, keys are filtered by algorithm (values for algorithm: `HS256`, `RS256`,`AES`, ...) -- `status` - (Optional) When specified, keys are filtered by status (values for status: `ACTIVE`, `DISABLED` and `PASSIVE`) diff --git a/docs-old/data_sources/keycloak_role.md b/docs-old/data_sources/keycloak_role.md deleted file mode 100644 index 73c94afe4..000000000 --- a/docs-old/data_sources/keycloak_role.md +++ /dev/null @@ -1,51 +0,0 @@ -# keycloak_role data source - -This data source can be used to fetch properties of a Keycloak role for -usage with other resources, such as `keycloak_group_roles`. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -data "keycloak_role" "offline_access" { - realm_id = keycloak_realm.realm.id - name = "offline_access" -} - -# use the data source - -resource "keycloak_group" "group" { - realm_id = keycloak_realm.realm.id - name = "group" -} - -resource "keycloak_group_roles" "group_roles" { - realm_id = keycloak_realm.realm.id - group_id = keycloak_group.group.id - - role_ids = [ - data.keycloak_role.offline_access.id - ] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this role exists within. -- `client_id` - (Optional) When specified, this role is assumed to be a - client role belonging to the client with the provided ID -- `name` - (Required) The name of the role - -### Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - -- `id` - The unique ID of the role, which can be used as an argument to - other resources supported by this provider. -- `description` - The description of the role. diff --git a/docs-old/data_sources/keycloak_saml_client_installation_provider.md b/docs-old/data_sources/keycloak_saml_client_installation_provider.md deleted file mode 100644 index 31717300d..000000000 --- a/docs-old/data_sources/keycloak_saml_client_installation_provider.md +++ /dev/null @@ -1,56 +0,0 @@ -# keycloak_saml_client_installation_provider data source - -This data source can be used to retrieve Installation Provider -of a SAML Client. - -### Example Usage - -In the example below, we extract the SAML metadata IDPSSODescriptor -to pass it to the AWS IAM SAML Provider. - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_saml_client" "saml_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-saml-client" - name = "test-saml-client" - - sign_documents = false - sign_assertions = true - include_authn_statement = true - - signing_certificate = "${file("saml-cert.pem")}" - signing_private_key = "${file("saml-key.pem")}" -} - -data "keycloak_saml_client_installation_provider" "saml_idp_descriptor" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_saml_client.saml_client - provider_id = "saml-idp-descriptor" -} - - -resource "aws_iam_saml_provider" "default" { - name = "myprovider" - saml_metadata_document = data.keycloak_saml_client_installation_provider.saml_idp_descriptor.value -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this group exists within. -- `client_id` - (Required) The name of the saml client. Not the id of the client. -- `provider_id` - (Required) Could be one of `saml-idp-descriptor`, `keycloak-saml`, `saml-sp-descriptor`, `keycloak-saml-subsystem`, `mod-auth-mellon` - -### Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - -- `id` - The hash of the value -- `value` The returned XML document needed for SAML installation diff --git a/docs-old/index.css b/docs-old/index.css deleted file mode 100644 index 614d000f5..000000000 --- a/docs-old/index.css +++ /dev/null @@ -1,30 +0,0 @@ -.section h5 { - margin-bottom: 15px; -} - -.section p { - margin-bottom: 15px; -} - -.section li { - line-height: 23px; - margin-bottom: 12px; -} - -h1 { - font-size: 150%; -} - -@media (min-width: 769px) { - .wy-nav-side, .rst-versions { - width: 410px; - } - - .wy-nav-content-wrap { - margin-left: 410px; - } - - h1 { - font-size: 175%; - } -} diff --git a/docs-old/index.md b/docs-old/index.md deleted file mode 100644 index 58380f7ea..000000000 --- a/docs-old/index.md +++ /dev/null @@ -1,83 +0,0 @@ -# Installing - -You can download the latest version of this provider on the -[GitHub releases](https://github.com/mrparkers/terraform-provider-keycloak/releases) -page. - -Please follow the [official docs](https://www.terraform.io/docs/configuration/providers.html#third-party-plugins) -for instructions on installing a third-party provider. - -# Keycloak Setup - -This Terraform provider can be configured to use the [client credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/) -or [password](https://www.oauth.com/oauth2-servers/access-tokens/password-grant/) grant types. If you aren't -sure which to use, the client credentials grant is recommended, as it was designed for machine to machine authentication. - -## Client Credentials Grant Setup (recommended) - -1. Create a new client using the `openid-connect` protocol. This client can be created in the `master` realm if you would -like to manage your entire Keycloak instance, or in any other realm if you only want to manage that realm. -1. Update the client you just created: - 1. Set "Access Type" to "confidential". - 1. Set "Standard Flow Enabled" to "OFF". - 1. Set "Direct Access Grants Enabled" to "OFF" - 1. Set "Service Accounts Enabled" to "ON". -1. Grant required roles for managing Keycloak via the "Service Account Roles" tab in the client you created in step 1. - -## Password Grant Setup - -These steps will assume that you are using the `admin-cli` client, which is already correctly configured for this type -of authentication. Do not follow these steps if you have already followed the steps for the client credentials grant. - -1. Create or identify the user whose credentials will be used for authentication. -1. Edit this user in the "Users" section of the management console and assign roles using the "Role Mappings" tab. - -## Assigning Roles - -There are many ways that roles can be assigned to manage Keycloak. Here are a couple of common scenarios accompanied -by suggested roles to assign. This is not an exhaustive list, and there is often more than one way to assign a particular set -of permissions. - -- Managing the entire Keycloak instance: Assign the `admin` role to a user or service account within the `master` realm. -- Managing the entire `foo` realm: Assign the `realm-admin` client role from the `realm-management` client to a user or service -account within the `foo` realm. -- Managing clients for all realms within the entire Keycloak instance: Assign the `create-client` client role from each of -the realm clients to a user or service account within the `master` realm. For example, given a Keycloak instance with realms -`master`, `foo`, and `bar`, assign the `create-client` client role from the clients `master-realm`, `foo-realm`, and `bar-realm`. - -# Provider Setup - -The following provider attributes are supported: - -- `client_id` (Required) - The `client_id` for the client that was created in the "Keycloak Setup" section. Use the `admin-cli` client if you are using the password grant. Defaults to the environment variable `KEYCLOAK_CLIENT_ID`. -- `url` (Required) - The URL of the Keycloak instance, before `/auth/admin`. Defaults to the environment variable `KEYCLOAK_URL`. -- `client_secret` (Optional) - The secret for the client used by the provider for authentication via the client credentials grant. This can be found or changed using the "Credentials" tab in the client settings. Defaults to the environment variable `KEYCLOAK_CLIENT_SECRET`. This attribute is required when using the client credentials grant, and cannot be set when using the password grant. -- `username` (Optional) - The username of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_USER`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. -- `password` (Optional) - The password of the user used by the provider for authentication via the password grant. Defaults to environment variable `KEYCLOAK_PASSWORD`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant. -- `realm` (Optional) - The realm used by the provider for authentication. Defaults to environment variable `KEYCLOAK_REALM`, or `master` if the environment variable is not specified. -- `initial_login` (Optional) - Optionally avoid Keycloak login during provider setup, for when Keycloak itself is being provisioned by terraform. Defaults to true, which is the original method. -- `client_timeout` (Optional) - Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or 5 is the environment variable is not specified. -- `tls_insecure_skip_verify` (Optional) - Allows ignoring insecure certificates when set to true. Defaults to false. Disabling security check is dangerous and should be avoided. -- `root_ca_certificate` (Optional) - Allows x509 calls using an unknown CA certificate (for development purposes) -- `base_path` (Optional) - The base path used for accessing the Keycloak REST API. Defaults to `/auth` - -#### Example (client credentials) - -```hcl -provider "keycloak" { - client_id = "terraform" - client_secret = "884e0f95-0f42-4a63-9b1f-94274655669e" - url = "http://localhost:8080" -} -``` - -#### Example (password) - -```hcl -provider "keycloak" { - client_id = "admin-cli" - username = "keycloak" - password = "password" - url = "http://localhost:8080" -} -``` diff --git a/docs-old/resources/keycloak_attribute_importer_identity_provider_mapper.md b/docs-old/resources/keycloak_attribute_importer_identity_provider_mapper.md deleted file mode 100644 index 80ef89299..000000000 --- a/docs-old/resources/keycloak_attribute_importer_identity_provider_mapper.md +++ /dev/null @@ -1,38 +0,0 @@ -# keycloak_attribute_importer_identity_provider_mapper - -Allows to create and manage identity provider mappers within Keycloak. - -### Example Usage - -```hcl -resource "keycloak_attribute_importer_identity_provider_mapper" "test_mapper" { - realm = "my-realm" - name = "my-mapper" - identity_provider_alias = "idp_alias" - attribute_name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" - user_attribute = "lastName" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm` - (Required) The name of the realm. -- `name` - (Required) The name of the mapper. -- `identity_provider_alias` - (Required) The alias of the associated identity provider. -- `user_attribute` - (Required) The user attribute name to store SAML attribute. -- `attribute_name` - (Optional) The Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. -- `attribute_friendly_name` - (Optional) The friendly name of attribute to search for in assertion. You can leave this blank and specify an attribute name instead. -- `claim_name` - (Optional) The claim name. - -### Import - -Identity provider mapper can be imported using the format `{{realm_id}}/{{idp_alias}}/{{idp_mapper_id}}`, where `idp_alias` is the identity provider alias, and `idp_mapper_id` is the unique ID that Keycloak -assigns to the mapper upon creation. This value can be found in the URI when editing this mapper in the GUI, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_attribute_importer_identity_provider_mapper.test_mapper my-realm/my-mapper/f446db98-7133-4e30-b18a-3d28fde7ca1b -``` diff --git a/docs-old/resources/keycloak_authentication_execution.md b/docs-old/resources/keycloak_authentication_execution.md deleted file mode 100644 index 79b7de08e..000000000 --- a/docs-old/resources/keycloak_authentication_execution.md +++ /dev/null @@ -1,46 +0,0 @@ -# keycloak_authentication_execution - -Allows for managing an authentication execution. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_authentication_flow" "flow" { - realm_id = keycloak_realm.realm.id - alias = "my-flow-alias" -} - -resource "keycloak_authentication_execution" "execution" { - realm_id = keycloak_realm.realm.id - parent_flow_alias = keycloak_authentication_flow.flow.alias - authenticator = "identity-provider-redirector" - requirement = "REQUIRED" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm the authentication execution exists in. -- `parent_flow_alias` - (Required) The flow this execution is attached to. -- `authenticator` - (Required) The name of the authenticator. -- `requirement`- (Optional) The requirement setting, which can be one of the following: - - `REQUIRED` - - `ALTERNATIVE` - - `DISABLED` - -### Import - -Executions can be imported using the formats: `{{realmId}}/{{parentFlowAlias}}/{{authenticationExecutionId}}`. - -Example: - -```bash -$ terraform import keycloak_authentication_execution my-realm/my-flow/30559fcf-6fb8-45ea-8c46-2b86f46ebc17 -``` diff --git a/docs-old/resources/keycloak_authentication_execution_config.md b/docs-old/resources/keycloak_authentication_execution_config.md deleted file mode 100644 index 6f696264b..000000000 --- a/docs-old/resources/keycloak_authentication_execution_config.md +++ /dev/null @@ -1,53 +0,0 @@ -# keycloak_authentication_execution_config - -Allows for managing an authentication execution configuration. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_authentication_flow" "flow" { - realm_id = keycloak_realm.realm.id - alias = "my-flow-alias" -} - -resource "keycloak_authentication_execution" "execution" { - realm_id = keycloak_realm.realm.id - parent_flow_alias = keycloak_authentication_flow.flow.alias - authenticator = "identity-provider-redirector" -} - -resource "keycloak_authentication_execution_config" "config" { - realm_id = keycloak_realm.realm.id - execution_id = keycloak_authentication_execution.execution.id - alias = "my-config-alias" - config = { - defaultProvider = "my-config-default-idp" - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm the authentication execution exists in. -- `execution_id` - (Required) The authentication execution this configuration is attached to. -- `alias` - (Required) The name of the configuration. -- `config` - (Optional) The configuration. Keys are specific to each configurable authentication execution and not checked when applying. - -### Import - -Configurations can be imported using the format `{{realm}}/{{authenticationExecutionId}}/{{authenticationExecutionConfigId}}`. -If the `authenticationExecutionId` is incorrect, the import will still be successful. -A subsequent apply will change the `authenticationExecutionId` to the correct one, which causes the configuration to be replaced. - -Example: - -```bash -$ terraform import keycloak_authentication_execution_config.config my-realm/be081463-ddbf-4b42-9eff-9c97886f24ff/30559fcf-6fb8-45ea-8c46-2b86f46ebc17 -``` diff --git a/docs-old/resources/keycloak_custom_user_federation.md b/docs-old/resources/keycloak_custom_user_federation.md deleted file mode 100644 index 30cd4332d..000000000 --- a/docs-old/resources/keycloak_custom_user_federation.md +++ /dev/null @@ -1,51 +0,0 @@ -# keycloak_custom_user_federation - -Allows for creating and managing custom user federation providers within Keycloak. - -A custom user federation provider is an implementation of Keycloak's -[User Storage SPI](https://www.keycloak.org/docs/4.2/server_development/index.html#_user-storage-spi). -An example of this implementation can be found [here](https://github.com/mrparkers/terraform-provider-keycloak/tree/master/custom-user-federation-example). - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_custom_user_federation" "custom_user_federation" { - name = "custom" - realm_id = keycloak_realm.realm.id - provider_id = "custom" - - enabled = true - - config = { - dummyString = "foobar" - dummyBool = true - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this provider will provide user federation for. -- `name` - (Required) Display name of the provider when displayed in the console. -- `provider_id` - (Required) The unique ID of the custom provider, specified in the `getId` implementation for the `UserStorageProviderFactory` interface. -- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. -- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. -- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. -- `parent_id` - (Optional) Must be set to the realms' `internal_id` when it differs from the realm. This can happen when existing resources are imported into the state. -- `config` - (Optional) The provider configuration handed over to your custom user federation provider. - -### Import - -Custom user federation providers can be imported using the format `{{realm_id}}/{{custom_user_federation_id}}`. -The ID of the custom user federation provider can be found within the Keycloak GUI and is typically a GUID: - -```bash -$ terraform import keycloak_custom_user_federation.custom_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 -``` diff --git a/docs-old/resources/keycloak_default_groups.md b/docs-old/resources/keycloak_default_groups.md deleted file mode 100644 index 664cb52ac..000000000 --- a/docs-old/resources/keycloak_default_groups.md +++ /dev/null @@ -1,42 +0,0 @@ -# keycloak_default_groups - -Allows for managing a realm's default groups. - -Note that you should not use `keycloak_default_groups` with a group with memberships managed -by `keycloak_group_memberships`. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_group" "group" { - realm_id = keycloak_realm.realm.id - name = "my-group" -} - -resource "keycloak_default_groups" "default" { - realm_id = keycloak_realm.realm.id - group_ids = [keycloak_group.group.id] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this group exists in. -- `group_ids` - (Required) A set of group ids that should be default groups on the realm referenced by `realm_id`. - -### Import - -Groups can be imported using the format `{{realm_id}}` where `realm_id` is the realm the group exists in. - -Example: - -```bash -$ terraform import keycloak_default_groups.default my-realm -``` diff --git a/docs-old/resources/keycloak_generic_client_protocol_mapper.md b/docs-old/resources/keycloak_generic_client_protocol_mapper.md deleted file mode 100644 index 7a7623457..000000000 --- a/docs-old/resources/keycloak_generic_client_protocol_mapper.md +++ /dev/null @@ -1,60 +0,0 @@ -# keycloak_generic_client_protocol_mapper - -Allows for creating and managing protocol mapper for both types of clients (openid-connect and saml) within Keycloak. - -There are two uses cases for using this resource: -* If you implemented a custom protocol mapper, this resource can be used to configure it -* If the provider doesn't support a particular protocol mapper, this resource can be used instead. - -Due to the generic nature of this mapper, it is less user-friendly and more prone to configuration errors. -Therefore, if possible, a specific mapper should be used. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_saml_client" "saml_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" -} - -resource "keycloak_generic_client_protocol_mapper" "saml_hardcode_attribute_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_saml_client.saml_client.id - name = "tes-mapper" - protocol = "saml" - protocol_mapper = "saml-hardcode-attribute-mapper" - config = { - "attribute.name" = "name" - "attribute.nameformat" = "Basic" - "attribute.value" = "value" - "friendly.name" = "display name" - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required) The client this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `protocol` - (Required) The type of client (either `openid-connect` or `saml`). The type must match the type of the client. -- `protocol_mapper` - (Required) The name of the protocol mapper. The protocol mapper must be - compatible with the specified client. -- `config` - (Required) A map with key / value pairs for configuring the protocol mapper. The supported keys depends on the protocol mapper. - -### Import - -Protocol mappers can be imported using the following format: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_generic_client_protocol_mapper.saml_hardcode_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_generic_client_role_mapper.md b/docs-old/resources/keycloak_generic_client_role_mapper.md deleted file mode 100644 index fc9bd2083..000000000 --- a/docs-old/resources/keycloak_generic_client_role_mapper.md +++ /dev/null @@ -1,161 +0,0 @@ -# keycloak_generic_client_role_mapper - -Allow for creating and managing a client's scope mappings within Keycloak. - -By default, all the user role mappings of the user are added as claims within -the token or assertion. When `full_scope_allowed` is set to `false` for a -client, role scope mapping allows you to limit the roles that get declared -inside an access token for a client. - -### Example Usage (Realm Role to Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "client" - name = "client" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "realm_role" { - realm_id = keycloak_realm.realm.id - name = "my-realm-role" - description = "My Realm Role" -} - -resource "keycloak_generic_client_role_mapper" "client_role_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client.id - role_id = keycloak_role.realm_role.id -} -``` - -### Example Usage (Client Role to Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "client_a" { - realm_id = keycloak_realm.realm.id - client_id = "client-a" - name = "client-a" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "client_role_a" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client_a.id - name = "my-client-role" - description = "My Client Role" -} - -resource "keycloak_openid_client" "client_b" { - realm_id = keycloak_realm.realm.id - client_id = "client-b" - name = "client-b" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "client_role_b" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client_b.id - name = "my-client-role" - description = "My Client Role" -} - -resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_client.client_b.id - role_id = keycloak_role.client_role_a.id -} -``` - -### Example Usage (Realm Role to Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "my-client-scope" -} - -resource "keycloak_role" "realm_role" { - realm_id = keycloak_realm.realm.id - name = "my-realm-role" - description = "My Realm Role" -} - -resource "keycloak_generic_client_role_mapper" "client_role_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - role_id = keycloak_role.realm_role.id -} -``` - -### Example Usage (Client Role to Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "client" - name = "client" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "client_role" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client.id - name = "my-client-role" - description = "My Client Role" -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "my-client-scope" -} - -resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_client_scope.client_scope.id - role_id = keycloak_role.client_role.id -} -``` - -### Argument Reference - -The following arugments are supported: - -- `realm_id` - (Required) The realm this role mapper exists within -- `client_id` - (Optional) The ID of the client this role mapper is added to -- `client_scope_id` - (Optional) The ID of the client scope this role mapper is added to -- `role_id` - (Required) The ID of the role to be added to this role mapper - diff --git a/docs-old/resources/keycloak_group.md b/docs-old/resources/keycloak_group.md deleted file mode 100644 index b563efc69..000000000 --- a/docs-old/resources/keycloak_group.md +++ /dev/null @@ -1,68 +0,0 @@ -# keycloak_group - -Allows for creating and managing Groups within Keycloak. - -Groups provide a logical wrapping for users within Keycloak. Users within a -group can share attributes and roles, and group membership can be mapped -to a claim. - -Attributes can also be defined on Groups. - -Groups can also be federated from external data sources, such as LDAP or Active Directory. -This resource **should not** be used to manage groups that were created this way. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_group" "parent_group" { - realm_id = keycloak_realm.realm.id - name = "parent-group" -} - -resource "keycloak_group" "child_group" { - realm_id = keycloak_realm.realm.id - parent_id = keycloak_group.parent_group.id - name = "child-group" -} - -resource "keycloak_group" "child_group_with_optional_attributes" { - realm_id = keycloak_realm.realm.id - parent_id = keycloak_group.parent_group.id - name = "child-group-with-optional-attributes" - attributes = { - "key1" = "value1" - "key2" = "value2" - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this group exists in. -- `parent_id` - (Optional) The ID of this group's parent. If omitted, this group will be defined at the root level. -- `name` - (Required) The name of the group. -- `attributes` - (Optional) A dict of key/value pairs to set as custom attributes for the group. - -### Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - -- `path` - The complete path of the group. For example, the child group's path in the example configuration would be `/parent-group/child-group`. - -### Import - -Groups can be imported using the format `{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that Keycloak -assigns to the group upon creation. This value can be found in the URI when editing this group in the GUI, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_group.child_group my-realm/934a4a4e-28bd-4703-a0fa-332df153aabd -``` diff --git a/docs-old/resources/keycloak_group_memberships.md b/docs-old/resources/keycloak_group_memberships.md deleted file mode 100644 index 1449a9ade..000000000 --- a/docs-old/resources/keycloak_group_memberships.md +++ /dev/null @@ -1,56 +0,0 @@ -# keycloak_group_memberships - -Allows for managing a Keycloak group's members. - -Note that this resource attempts to be an **authoritative** source over group members. -When this resource takes control over a group's members, users that are manually added -to the group will be removed, and users that are manually removed from the group will -be added upon the next run of `terraform apply`. Eventually, a non-authoritative resource -for group membership will be added to this provider. - -Also note that you should not use `keycloak_group_memberships` with a group has been assigned -as a default group via `keycloak_default_groups`. - -This resource **should not** be used to control membership of a group that has its members -federated from an external source via group mapping. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_group" "group" { - realm_id = keycloak_realm.realm.id - name = "my-group" -} - -resource "keycloak_user" "user" { - realm_id = keycloak_realm.realm.id - username = "my-user" -} - -resource "keycloak_group_memberships" "group_members" { - realm_id = keycloak_realm.realm.id - group_id = keycloak_group.group.id - - members = [ - keycloak_user.user.username - ] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this group exists in. -- `group_id` - (Required) The ID of the group this resource should manage memberships for. -- `members` - (Required) An array of usernames that belong to this group. - -### Import - -This resource does not support import. Instead of importing, feel free to create this resource -as if it did not already exist on the server. diff --git a/docs-old/resources/keycloak_group_roles.md b/docs-old/resources/keycloak_group_roles.md deleted file mode 100644 index ff72fc277..000000000 --- a/docs-old/resources/keycloak_group_roles.md +++ /dev/null @@ -1,83 +0,0 @@ -# keycloak_group_roles - -Allows you to manage roles assigned to a Keycloak group. - -Note that this resource attempts to be an **authoritative** source over -group roles. When this resource takes control over a group's roles, -roles that are manually added to the group will be removed, and roles -that are manually removed from the group will be added upon the next run -of `terraform apply`. - -Note that when assigning composite roles to a group, you may see a -non-empty plan following a `terraform apply` if you assign a role and a -composite that includes that role to the same group. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_role" "realm_role" { - realm_id = keycloak_realm.realm.id - name = "my-realm-role" - description = "My Realm Role" -} - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "client" - name = "client" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "client_role" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_client.client.id - name = "my-client-role" - description = "My Client Role" -} - -resource "keycloak_group" "group" { - realm_id = keycloak_realm.realm.id - name = "my-group" -} - -resource "keycloak_group_roles" "group_roles" { - realm_id = keycloak_realm.realm.id - group_id = keycloak_group.group.id - - role_ids = [ - keycloak_role.realm_role.id, - keycloak_role.client_role.id, - ] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this group exists in. -- `group_id` - (Required) The ID of the group this resource should - manage roles for. -- `role_ids` - (Required) A list of role IDs to map to the group - -### Import - -This resource can be imported using the format -`{{realm_id}}/{{group_id}}`, where `group_id` is the unique ID that -Keycloak assigns to the group upon creation. This value can be found in -the URI when editing this group in the GUI, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_group_roles.group_roles my-realm/18cc6b87-2ce7-4e59-bdc8-b9d49ec98a94 -``` - diff --git a/docs-old/resources/keycloak_identity_provider_token_exchange_scope_permission.md b/docs-old/resources/keycloak_identity_provider_token_exchange_scope_permission.md deleted file mode 100644 index 2fb6cd856..000000000 --- a/docs-old/resources/keycloak_identity_provider_token_exchange_scope_permission.md +++ /dev/null @@ -1,88 +0,0 @@ -# keycloak_identity_provider_token_exchange_scope_permission - -Allows you to manage Identity Provider "Token exchange" Scope Based Permissions. - -This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. -More information about enabling the preview feature can be found here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange - -When enabling Identity Provider Permissions, Keycloak does several things automatically: -1. Enable Authorization on build-in realm-management client -1. Create a "token-exchange" scope -1. Create a resource representing the identity provider -1. Create a scope based permission for the "token-exchange" scope and identity provider resource - -The only thing that is missing is a policy set on the permission. -As the policy lives within the context of the realm-management client, you cannot create a policy resource and link to from with your _.tf_ file. This would also cause an implicit cycle dependency. -Thus, the only way to manage this in terraform is to create and manage the policy internally from within this terraform resource itself. -At the moment only a client policy type is supported. The client policy will automatically be created for the clients parameter. - -### Example Usage - -```hcl -resource "keycloak_realm" "token-exchange_realm" { - realm = "token-exchange_destination_realm" - enabled = true -} - -resource keycloak_oidc_identity_provider token-exchange_my_oidc_idp { - realm = keycloak_realm.token-exchange_realm.id - alias = "myIdp" - authorization_url = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth" - token_url = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token" - client_id = "clientId" - client_secret = "secret" - default_scopes = "openid" -} - -resource "keycloak_openid_client" "token-exchange_webapp_client" { - realm_id = keycloak_realm.token-exchange_realm.id - name = "webapp_client" - client_id = "webapp_client" - client_secret = "secret" - description = "a webapp client on the destination realm" - access_type = "CONFIDENTIAL" - standard_flow_enabled = true - valid_redirect_uris = [ - "http://localhost:8080/*", - ] -} - -//relevant part -resource "keycloak_identity_provider_token_exchange_scope_permission" "oidc_idp_permission" { - realm_id = keycloak_realm.token-exchange_realm.id - provider_alias = keycloak_oidc_identity_provider.token-exchange_my_oidc_idp.alias - policy_type = "client" - clients = [keycloak_openid_client.token-exchange_webapp_client.id] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this group exists in. -- `provider_alias` - (Required) Alias of the identity provider. -- `policy_type` - (Optional) Defaults to "client" This is also the only value policy type supported by this provider. -- `clients` - (Required) Ids of the clients for which a policy will be created and set on scope based token exchange permission. - -### Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - -- `policy_id` - Policy id that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider. -- `authorization_resource_server_id` - Resource server id representing the realm management client on which this permission is managed. -- `authorization_idp_resource_id` - Resource id representing the identity provider, this automatically created by keycloak. -- `authorization_token_exchange_scope_permission_id` - Permission id representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy id will be set on this permission. - - -### Import - -This resource can be imported using the format -`{{realm_id}}/{{provider_alias}}`, where `provider_alias` is the alias that you assign to the identity provider upon creation. - -Example: - -```bash -$ terraform import keycloak_identity_provider_token_exchange_scope_permission.my_permission my-realm/my_idp -``` - diff --git a/docs-old/resources/keycloak_ldap_full_name_mapper.md b/docs-old/resources/keycloak_ldap_full_name_mapper.md deleted file mode 100644 index 10e86d9ef..000000000 --- a/docs-old/resources/keycloak_ldap_full_name_mapper.md +++ /dev/null @@ -1,61 +0,0 @@ -# keycloak_ldap_full_name_mapper - -Allows for creating and managing full name mappers for Keycloak users federated -via LDAP. - -The LDAP full name mapper can map a user's full name from an LDAP attribute -to the first and last name attributes of a Keycloak user. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_ldap_user_federation" "ldap_user_federation" { - name = "openldap" - realm_id = keycloak_realm.realm.id - - username_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - uuid_ldap_attribute = "entryDN" - user_object_classes = [ - "simpleSecurityObject", - "organizationalRole" - ] - connection_url = "ldap://openldap" - users_dn = "dc=example,dc=org" - bind_dn = "cn=admin,dc=example,dc=org" - bind_credential = "admin" -} - -resource "keycloak_ldap_full_name_mapper" "ldap_full_name_mapper" { - realm_id = keycloak_realm.realm.id - ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id - name = "full-name-mapper" - ldap_full_name_attribute = "cn" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -- `name` - (Required) Display name of this mapper when displayed in the console. -- `ldap_full_name_attribute` - (Required) The name of the LDAP attribute containing the user's full name. -- `read_only` - (Optional) When `true`, updates to a user within Keycloak will not be written back to LDAP. Defaults to `false`. -- `write_only` - (Optional) When `true`, this mapper will only be used to write updates to LDAP. Defaults to `false`. - -### Import - -LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -The ID of the LDAP user federation provider and the mapper can be found within -the Keycloak GUI, and they are typically GUIDs: - -```bash -$ terraform import keycloak_ldap_full_name_mapper.ldap_full_name_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -``` diff --git a/docs-old/resources/keycloak_ldap_group_mapper.md b/docs-old/resources/keycloak_ldap_group_mapper.md deleted file mode 100644 index 7e225cdb2..000000000 --- a/docs-old/resources/keycloak_ldap_group_mapper.md +++ /dev/null @@ -1,83 +0,0 @@ -# keycloak_ldap_group_mapper - -Allows for creating and managing group mappers for Keycloak users federated -via LDAP. - -The LDAP group mapper can be used to map an LDAP user's groups from some DN -to Keycloak groups. This group mapper will also create the groups within Keycloak -if they do not already exist. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_ldap_user_federation" "ldap_user_federation" { - name = "openldap" - realm_id = keycloak_realm.realm.id - - username_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - uuid_ldap_attribute = "entryDN" - user_object_classes = [ - "simpleSecurityObject", - "organizationalRole" - ] - connection_url = "ldap://openldap" - users_dn = "dc=example,dc=org" - bind_dn = "cn=admin,dc=example,dc=org" - bind_credential = "admin" -} - -resource "keycloak_ldap_group_mapper" "ldap_group_mapper" { - realm_id = keycloak_realm.realm.id - ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id - name = "group-mapper" - - ldap_groups_dn = "dc=example,dc=org" - group_name_ldap_attribute = "cn" - group_object_classes = [ - "groupOfNames" - ] - membership_attribute_type = "DN" - membership_ldap_attribute = "member" - membership_user_ldap_attribute = "cn" - memberof_ldap_attribute = "memberOf" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -- `name` - (Required) Display name of this mapper when displayed in the console. -- `ldap_groups_dn` - (Required) The LDAP DN where groups can be found. -- `group_name_ldap_attribute` - (Required) The name of the LDAP attribute that is used in group objects for the name and RDN of the group. Typically `cn`. -- `group_object_classes` - (Required) Array of strings representing the object classes for the group. Must contain at least one. -- `preserve_group_inheritance` - (Optional) When `true`, group inheritance will be propagated from LDAP to Keycloak. When `false`, all LDAP groups will be propagated as top level groups within Keycloak. -- `ignore_missing_groups` - (Optional) When `true`, missing groups in the hierarchy will be ignored. -- `membership_ldap_attribute` - (Required) The name of the LDAP attribute that is used for membership mappings. -- `membership_attribute_type` - (Optional) Can be one of `DN` or `UID`. Defaults to `DN`. -- `membership_user_ldap_attribute` - (Required) The name of the LDAP attribute on a user that is used for membership mappings. -- `groups_ldap_filter` - (Optional) When specified, adds an additional custom filter to be used when querying for groups. Must start with `(` and end with `)`. -- `mode` - (Optional) Can be one of `READ_ONLY`, `LDAP_ONLY` or `IMPORT`. Defaults to `READ_ONLY`. -- `user_roles_retrieve_strategy` - (Optional) Can be one of `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`, `GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE`, or `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY`. Defaults to `LOAD_GROUPS_BY_MEMBER_ATTRIBUTE`. -- `memberof_ldap_attribute` - (Optional) Specifies the name of the LDAP attribute on the LDAP user that contains the groups the user is a member of. Defaults to `memberOf`. -- `mapped_group_attributes` - (Optional) Array of strings representing attributes on the LDAP group which will be mapped to attributes on the Keycloak group. -- `drop_non_existing_groups_during_sync` - (Optional) When `true`, groups that no longer exist within LDAP will be dropped in Keycloak during sync. Defaults to `false`. -- `groups_path` - (Optional) Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, then LDAP groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'. The configured group path must already exists in the Keycloak when creating this mapper. The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level. - -### Import - -LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -The ID of the LDAP user federation provider and the mapper can be found within -the Keycloak GUI, and they are typically GUIDs: - -```bash -$ terraform import keycloak_ldap_group_mapper.ldap_group_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -``` diff --git a/docs-old/resources/keycloak_ldap_hardcoded_role_mapper.md b/docs-old/resources/keycloak_ldap_hardcoded_role_mapper.md deleted file mode 100644 index 2ec655657..000000000 --- a/docs-old/resources/keycloak_ldap_hardcoded_role_mapper.md +++ /dev/null @@ -1,55 +0,0 @@ -# keycloak_ldap_hardcoded_role_mapper - -This mapper will grant a specified Keycloak role to each Keycloak user linked with LDAP. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_ldap_user_federation" "ldap_user_federation" { - name = "openldap" - realm_id = keycloak_realm.realm.id - - username_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - uuid_ldap_attribute = "entryDN" - user_object_classes = [ - "simpleSecurityObject", - "organizationalRole" - ] - connection_url = "ldap://openldap" - users_dn = "dc=example,dc=org" - bind_dn = "cn=admin,dc=example,dc=org" - bind_credential = "admin" -} - -resource "keycloak_ldap_hardcoded_role_mapper" "assign_admin_role_to_all_users" { - realm_id = keycloak_realm.realm.id - ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id - name = "assign-admin-role-to-all-users" - role = "admin" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -- `name` - (Required) Display name of this mapper when displayed in the console. -- `role` - (Required) The role which should be assigned to the users. - -### Import - -LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -The ID of the LDAP user federation provider and the mapper can be found within -the Keycloak GUI, and they are typically GUIDs: - -```bash -$ terraform import keycloak_ldap_hardcoded_role_mapper.ldap_hardcoded_role_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -``` diff --git a/docs-old/resources/keycloak_ldap_msad_lds_user_account_control_mapper.md b/docs-old/resources/keycloak_ldap_msad_lds_user_account_control_mapper.md deleted file mode 100644 index 5ef807590..000000000 --- a/docs-old/resources/keycloak_ldap_msad_lds_user_account_control_mapper.md +++ /dev/null @@ -1,60 +0,0 @@ -# keycloak_ldap_msad_lds_user_account_control_mapper - -Allows for creating and managing MSAD-LDS user account control mappers for Keycloak -users federated via LDAP. - -The MSAD-LDS (Microsoft Active Directory Lightweight Directory Service) user account control mapper is specific -to LDAP user federation providers that are pulling from AD-LDS, and it can propagate -AD-LDS user state to Keycloak in order to enforce settings like expired passwords -or disabled accounts. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_ldap_user_federation" "ldap_user_federation" { - name = "ad" - realm_id = keycloak_realm.realm.id - - username_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - uuid_ldap_attribute = "objectGUID" - user_object_classes = [ - "person", - "organizationalPerson", - "user" - ] - connection_url = "ldap://my-ad-server" - users_dn = "dc=example,dc=org" - bind_dn = "cn=admin,dc=example,dc=org" - bind_credential = "admin" -} - -resource "keycloak_ldap_msad_lds_user_account_control_mapper" "msad_lds_user_account_control_mapper" { - realm_id = keycloak_realm.realm.id - ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id - name = "msad-lds-user-account-control-mapper" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -- `name` - (Required) Display name of this mapper when displayed in the console. - -### Import - -LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -The ID of the LDAP user federation provider and the mapper can be found within -the Keycloak GUI, and they are typically GUIDs: - -```bash -$ terraform import keycloak_ldap_msad_lds_user_account_control_mapper.msad_lds_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -``` diff --git a/docs-old/resources/keycloak_ldap_msad_user_account_control_mapper.md b/docs-old/resources/keycloak_ldap_msad_user_account_control_mapper.md deleted file mode 100644 index b1c891a2f..000000000 --- a/docs-old/resources/keycloak_ldap_msad_user_account_control_mapper.md +++ /dev/null @@ -1,61 +0,0 @@ -# keycloak_ldap_msad_user_account_control_mapper - -Allows for creating and managing MSAD user account control mappers for Keycloak -users federated via LDAP. - -The MSAD (Microsoft Active Directory) user account control mapper is specific -to LDAP user federation providers that are pulling from AD, and it can propagate -AD user state to Keycloak in order to enforce settings like expired passwords -or disabled accounts. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_ldap_user_federation" "ldap_user_federation" { - name = "ad" - realm_id = keycloak_realm.realm.id - - username_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - uuid_ldap_attribute = "objectGUID" - user_object_classes = [ - "person", - "organizationalPerson", - "user" - ] - connection_url = "ldap://my-ad-server" - users_dn = "dc=example,dc=org" - bind_dn = "cn=admin,dc=example,dc=org" - bind_credential = "admin" -} - -resource "keycloak_ldap_msad_user_account_control_mapper" "msad_user_account_control_mapper" { - realm_id = keycloak_realm.realm.id - ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id - name = "msad-user-account-control-mapper" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -- `name` - (Required) Display name of this mapper when displayed in the console. -- `ldap_password_policy_hints_enabled` - (Optional) When `true`, advanced password policies, such as password hints and previous password history will be used when writing new passwords to AD. Defaults to `false`. - -### Import - -LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -The ID of the LDAP user federation provider and the mapper can be found within -the Keycloak GUI, and they are typically GUIDs: - -```bash -$ terraform import keycloak_ldap_msad_user_account_control_mapper.msad_user_account_control_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -``` diff --git a/docs-old/resources/keycloak_ldap_user_attribute_mapper.md b/docs-old/resources/keycloak_ldap_user_attribute_mapper.md deleted file mode 100644 index cacc28e12..000000000 --- a/docs-old/resources/keycloak_ldap_user_attribute_mapper.md +++ /dev/null @@ -1,65 +0,0 @@ -# keycloak_ldap_user_attribute_mapper - -Allows for creating and managing user attribute mappers for Keycloak users -federated via LDAP. - -The LDAP user attribute mapper can be used to map a single LDAP attribute -to an attribute on the Keycloak user model. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_ldap_user_federation" "ldap_user_federation" { - name = "openldap" - realm_id = keycloak_realm.realm.id - - username_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - uuid_ldap_attribute = "entryDN" - user_object_classes = [ - "simpleSecurityObject", - "organizationalRole" - ] - connection_url = "ldap://openldap" - users_dn = "dc=example,dc=org" - bind_dn = "cn=admin,dc=example,dc=org" - bind_credential = "admin" -} - -resource "keycloak_ldap_user_attribute_mapper" "ldap_user_attribute_mapper" { - realm_id = keycloak_realm.realm.id - ldap_user_federation_id = keycloak_ldap_user_federation.ldap_user_federation.id - name = "user-attribute-mapper" - - user_model_attribute = "foo" - ldap_attribute = "bar" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this LDAP mapper will exist in. -- `ldap_user_federation_id` - (Required) The ID of the LDAP user federation provider to attach this mapper to. -- `name` - (Required) Display name of this mapper when displayed in the console. -- `user_model_attribute` - (Required) Name of the user property or attribute you want to map the LDAP attribute into. -- `ldap_attribute` - (Required) Name of the mapped attribute on the LDAP object. -- `read_only` - (Optional) When `true`, this attribute is not saved back to LDAP when the user attribute is updated in Keycloak. Defaults to `false`. -- `always_read_value_from_ldap` - (Optional) When `true`, the value fetched from LDAP will override the value stored in Keycloak. Defaults to `false`. -- `is_mandatory_in_ldap` - (Optional) When `true`, this attribute must exist in LDAP. Defaults to `false`. - -### Import - -LDAP mappers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}/{{ldap_mapper_id}}`. -The ID of the LDAP user federation provider and the mapper can be found within -the Keycloak GUI, and they are typically GUIDs: - -```bash -$ terraform import keycloak_ldap_user_attribute_mapper.ldap_user_attribute_mapper my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860/3d923ece-1a91-4bf7-adaf-3b82f2a12b67 -``` diff --git a/docs-old/resources/keycloak_ldap_user_federation.md b/docs-old/resources/keycloak_ldap_user_federation.md deleted file mode 100644 index 4f77be0b5..000000000 --- a/docs-old/resources/keycloak_ldap_user_federation.md +++ /dev/null @@ -1,99 +0,0 @@ -# keycloak_ldap_user_federation - -Allows for creating and managing LDAP user federation providers within Keycloak. - -Keycloak can use an LDAP user federation provider to federate users to Keycloak -from a directory system such as LDAP or Active Directory. Federated users -will exist within the realm and will be able to log in to clients. Federated -users can have their attributes defined using mappers. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true -} - -resource "keycloak_ldap_user_federation" "ldap_user_federation" { - name = "openldap" - realm_id = keycloak_realm.realm.id - - enabled = true - - username_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - uuid_ldap_attribute = "entryDN" - user_object_classes = [ - "simpleSecurityObject", - "organizationalRole" - ] - connection_url = "ldap://openldap" - users_dn = "dc=example,dc=org" - bind_dn = "cn=admin,dc=example,dc=org" - bind_credential = "admin" - - connection_timeout = "5s" - read_timeout = "10s" - - kerberos { - kerberos_realm = "FOO.LOCAL" - server_principal = "HTTP/host.foo.com@FOO.LOCAL" - keytab = "/etc/host.keytab" - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm that this provider will provide user federation for. -- `name` - (Required) Display name of the provider when displayed in the console. -- `enabled` - (Optional) When `false`, this provider will not be used when performing queries for users. Defaults to `true`. -- `priority` - (Optional) Priority of this provider when looking up users. Lower values are first. Defaults to `0`. -- `import_enabled` - (Optional) When `true`, LDAP users will be imported into the Keycloak database. Defaults to `true`. -- `edit_mode` - (Optional) Can be one of `READ_ONLY`, `WRITABLE`, or `UNSYNCED`. `UNSYNCED` allows user data to be imported but not synced back to LDAP. Defaults to `READ_ONLY`. -- `sync_registrations` - (Optional) When `true`, newly created users will be synced back to LDAP. Defaults to `false`. -- `vendor` - (Optional) Can be one of `OTHER`, `EDIRECTORY`, `AD`, `RHDS`, or `TIVOLI`. When this is selected in the GUI, it provides reasonable defaults for other fields. When used with the Keycloak API, this attribute does nothing, but is still required. Defaults to `OTHER`. -- `username_ldap_attribute` - (Required) Name of the LDAP attribute to use as the Keycloak username. -- `rdn_ldap_attribute` - (Required) Name of the LDAP attribute to use as the relative distinguished name. -- `uuid_ldap_attribute` - (Required) Name of the LDAP attribute to use as a unique object identifier for objects in LDAP. -- `user_object_classes` - (Required) Array of all values of LDAP objectClass attribute for users in LDAP. Must contain at least one. -- `connection_url` - (Required) Connection URL to the LDAP server. -- `users_dn` - (Required) Full DN of LDAP tree where your users are. -- `bind_dn` - (Optional) DN of LDAP admin, which will be used by Keycloak to access LDAP server. This attribute must be set if `bind_credential` is set. -- `bind_credential` - (Optional) Password of LDAP admin. This attribute must be set if `bind_dn` is set. -- `custom_user_search_filter` - (Optional) Additional LDAP filter for filtering searched users. Must begin with `(` and end with `)`. -- `search_scope` - (Optional) Can be one of `ONE_LEVEL` or `SUBTREE`: - - `ONE_LEVEL`: Only search for users in the DN specified by `user_dn`. - - `SUBTREE`: Search entire LDAP subtree. -- `start_tls` - (Optional) When `true`, Keycloak will encrypt the connection to LDAP using STARTTLS, which will disable connection pooling. -- `use_password_modify_extended_op` - (Optional) When `true`, use the LDAPv3 Password Modify Extended Operation (RFC-3062). -- `validate_password_policy` - (Optional) When `true`, Keycloak will validate passwords using the realm policy before updating it. -- `trust_email` - (Optional) If enabled, email provided by this provider is not verified even if verification is enabled for the realm. -- `use_truststore_spi` - (Optional) Can be one of `ALWAYS`, `ONLY_FOR_LDAPS`, or `NEVER`: - - `ALWAYS` - Always use the truststore SPI for LDAP connections. - - `NEVER` - Never use the truststore SPI for LDAP connections. - - `ONLY_FOR_LDAPS` - Only use the truststore SPI if your LDAP connection uses the ldaps protocol. -- `connection_timeout` - (Optional) LDAP connection timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). -- `read_timeout` - (Optional) LDAP read timeout in the format of a [Go duration string](https://golang.org/pkg/time/#Duration.String). -- `pagination` - (Optional) When true, Keycloak assumes the LDAP server supports pagination. Defaults to `true`. -- `batch_size_for_sync` - (Optional) The number of users to sync within a single transaction. Defaults to `1000`. -- `full_sync_period` - (Optional) How frequently Keycloak should sync all LDAP users, in seconds. Omit this property to disable periodic full sync. -- `changed_sync_period` - (Optional) How frequently Keycloak should sync changed LDAP users, in seconds. Omit this property to disable periodic changed users sync. -- `cache_policy` - (Optional) Can be one of `DEFAULT`, `EVICT_DAILY`, `EVICT_WEEKLY`, `MAX_LIFESPAN`, or `NO_CACHE`. Defaults to `DEFAULT`. -- `kerberos` - (Optional) A block containing the kerberos settings. - - `kerberos_realm` - (Required) The name of the kerberos realm, e.g. FOO.LOCAL. - - `server_principal` - (Required) The kerberos server principal, e.g. 'HTTP/host.foo.com@FOO.LOCAL'. - - `key_tab` - (Required) Path to the kerberos keytab file on the server with credentials of the service principal. - - `use_kerberos_for_password_authentication` - (Optional) Use kerberos login module instead of ldap service api. Defaults to `false`. - -### Import - -LDAP user federation providers can be imported using the format `{{realm_id}}/{{ldap_user_federation_id}}`. -The ID of the LDAP user federation provider can be found within the Keycloak GUI and is typically a GUID: - -```bash -$ terraform import keycloak_ldap_user_federation.ldap_user_federation my-realm/af2a6ca3-e4d7-49c3-b08b-1b3c70b4b860 -``` diff --git a/docs-old/resources/keycloak_oidc_identity_provider.md b/docs-old/resources/keycloak_oidc_identity_provider.md deleted file mode 100644 index ada17fb2e..000000000 --- a/docs-old/resources/keycloak_oidc_identity_provider.md +++ /dev/null @@ -1,63 +0,0 @@ -# keycloak_oidc_identity_provider - -Allows to create and manage OIDC Identity Providers within Keycloak. - -OIDC (OpenID Connect) identity providers allows to authenticate through a third-party system, using OIDC standard. - -### Example Usage - -```hcl -resource "keycloak_realm" "my-realm" { - realm = "my-realm" - enabled = true - display_name = "my-realm" -} - -resource "keycloak_oidc_identity_provider" "realm_identity_provider" { - realm = "my-realm" - alias = "my-idp" - authorization_url = "https://authorizationurl.com" - client_id = "clientID" - client_secret = "clientSecret" # or "$${vault.ID}" - token_url = "https://tokenurl.com" - - extra_config = { - "clientAuthMethod" = "client_secret_post" - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm` - (Required) The name of the realm. This is unique across Keycloak. -- `alias` - (Required) The alias uniquely identifies an identity provider and it is also used to build the redirect uri. -- `authorization_url` - (Required) The Authorization Url. -- `client_id` - (Required) The client or client identifier registered within the identity provider. -- `client_secret` - (Required) The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format. -- `token_url` - (Required) The Token URL. -- `extra_config` - (Optional) this block is needed to set extra configuration (Not yet supported variables or custom extensions) - - `clientAuthMethod` (Optional) The client authentication method. Since Keycloak 8, this is a required attribute if OIDC provider is created over the Keycloak Userinterface. - It accepts the values `client_secret_post` (Client secret sent as post), `client_secret_basic` (Client secret sent as basic auth), `client_secret_jwt` (Client secret as jwt) and `private_key_jwt ` (JTW signed with private key) -- `provider_id` - (Optional) The Provider id, defaults to `oidc`, unless you have a custom implementation. -- `backchannel_supported` - (Optional) Does the external IDP support backchannel logout ? Defaults to `true`. -- `validate_signature` - (Optional) Enable/disable signature validation of external IDP signatures. Defaults to `false`. -- `user_info_url` - (Optional) User Info URL. -- `jwks_url` - (Optional) JSON Web Key Set URL. -- `hide_on_login_page` - (Optional) Hide On Login Page. Defaults to `false`. -- `logout_url` - (Optional) The Logout URL is the end session endpoint to use to logout user from external identity provider. -- `login_hint` - (Optional) Pass login hint to identity provider. -- `ui_locales` - (Optional) Pass current locale to identity provider. Defaults to `false`. -- `accepts_prompt_none_forward_from_client` (Optional) Specifies whether the IDP accepts forwarded authentication requests that contain the prompt=none query parameter or not -- `default_scopes` - (Optional) The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to 'openid'. - -### Import - -Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. - -Example: - -```bash -$ terraform import keycloak_oidc_identity_provider.realm_identity_provider my-realm/my-idp -``` diff --git a/docs-old/resources/keycloak_openid_audience_protocol_mapper.md b/docs-old/resources/keycloak_openid_audience_protocol_mapper.md deleted file mode 100644 index 69734a7c5..000000000 --- a/docs-old/resources/keycloak_openid_audience_protocol_mapper.md +++ /dev/null @@ -1,86 +0,0 @@ -# keycloak_openid_audience_protocol_mapper - -Allows for creating and managing audience protocol mappers within -Keycloak. This mapper was added in Keycloak v4.6.0.Final. - -Audience protocol mappers allow you add audiences to the `aud` claim -within issued tokens. The audience can be a custom string, or it can be -mapped to the ID of a pre-existing client. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "audience-mapper" - - included_custom_audience = "foo" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "audience-mapper" - - included_custom_audience = "foo" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `included_client_audience` - (Required if `included_custom_audience` is not specified) A client ID to include within the token's `aud` claim. -- `included_custom_audience` - (Required if `included_client_audience` is not specified) A custom audience to include within the token's `aud` claim. -- `add_to_id_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the audience should be included in the `aud` claim for the id token. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_audience_protocol_mapper.audience_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_client.md b/docs-old/resources/keycloak_openid_client.md deleted file mode 100644 index c251900dc..000000000 --- a/docs-old/resources/keycloak_openid_client.md +++ /dev/null @@ -1,87 +0,0 @@ -# keycloak_openid_client - -Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. - -Clients are entities that can use Keycloak for user authentication. Typically, -clients are applications that redirect users to Keycloak for authentication -in order to take advantage of Keycloak's user sessions for SSO. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] - - login_theme = "keycloak" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this client is attached to. -- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. -- `name` - (Optional) The display name of this client in the GUI. -- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. -- `description` - (Optional) The description of this client in the GUI. -- `access_type` - (Required) Specifies the type of client, which can be one of the following: - - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating. - This client should be used for applications using the Authorization Code or Client Credentials grant flows. - - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect - URIs for security. This client should be used for applications using the Implicit grant flow. - - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. -- `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and -should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute. -- `standard_flow_enabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`. -- `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. -- `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. -- `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. -- `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple -wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` -is set to `true`. -- `web_origins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins. -- `root_url` - (Optional) When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. - - NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required. -- `admin_url` - (Optional) URL to the admin interface of the client. -- `base_url` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client. -- `pkce_code_challenge_method` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``. -- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token. -- `access_token_lifespan` - (Optional) - Allow to set the lifespan of the access token -- `consent_required` - (Optional) - Consent Required: If enabled, users have to consent to client access. -- `authentication_flow_binding_overrides` - (Optional) - Override realm authentication flow bindings - - `browers_id` - (Optional) - Browser flow id, (flow needs to exist) - - `direct_grant_id` - (Optional) - Direct grant flow id (flow needs to exist) -- `login_theme` - (Optional) - Override realm login theme - -### Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - -- `service_account_user_id` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account. - - -### Import - -Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak -assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_openid_client.openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 -``` diff --git a/docs-old/resources/keycloak_openid_client_default_scopes.md b/docs-old/resources/keycloak_openid_client_default_scopes.md deleted file mode 100644 index 843f89c84..000000000 --- a/docs-old/resources/keycloak_openid_client_default_scopes.md +++ /dev/null @@ -1,65 +0,0 @@ -# keycloak_openid_client_default_scopes - -Allows for managing a Keycloak client's default client scopes. A default -scope that is attached to a client using the OpenID Connect protocol will -automatically use the protocol mappers defined within that scope to build -claims for this client regardless of the provided OAuth2.0 `scope` parameter. - -Note that this resource attempts to be an **authoritative** source over -default scopes for a Keycloak client using the OpenID Connect protocol. -This means that once Terraform controls a particular client's default scopes, -it will attempt to remove any default scopes that were attached manually, -and it will attempt to add any default scopes that were detached manually. - -By default, Keycloak sets the `profile`, `email`, `roles`, and `web-origins` -scopes as default scopes for every newly created client. If you create this -resource for the first time and do not include these scopes, a following run -of `terraform plan` will result in changes. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - access_type = "CONFIDENTIAL" -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_client_default_scopes" "client_default_scopes" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client.id - - default_scopes = [ - "profile", - "email", - "roles", - "web-origins", - keycloak_openid_client_scope.client_scope.name - ] -} - -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this client and scopes exists in. -- `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. -- `default_scopes` - (Required) An array of client scope names to attach to this client. - -### Import - -This resource does not support import. Instead of importing, feel free to create this resource -as if it did not already exist on the server. diff --git a/docs-old/resources/keycloak_openid_client_optional_scopes.md b/docs-old/resources/keycloak_openid_client_optional_scopes.md deleted file mode 100644 index 5ac9d615d..000000000 --- a/docs-old/resources/keycloak_openid_client_optional_scopes.md +++ /dev/null @@ -1,65 +0,0 @@ -# keycloak_openid_client_optional_scopes - -Allows for managing a Keycloak client's optional client scopes. An optional -scope that is attached to a client using the OpenID Connect protocol will -allow a client to request it using the OAuth 2.0 `scope` parameter. When -requested, the scope's protocol mappers defined within that scope will be -used to build claims for this client. - -Note that this resource attempts to be an **authoritative** source over -optional scopes for a Keycloak client using the OpenID Connect protocol. -This means that once Terraform controls a particular client's optional scopes, -it will attempt to remove any optional scopes that were attached manually, -and it will attempt to add any optional scopes that were detached manually. - -By default, Keycloak sets the `address`, `phone` and `offline_access` scopes as -optional scopes for every newly created client. If you create this resource for -the first time and do not include these scopes, a following run of `terraform plan` -will result in changes. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - access_type = "CONFIDENTIAL" -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_client_optional_scopes" "client_optional_scopes" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client.id - - optional_scopes = [ - "address", - "phone", - "offline_access", - keycloak_openid_client_scope.client_scope.name - ] -} - -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this client and scopes exists in. -- `client_id` - (Required) The ID of the client to attach optional scopes to. Note that this is the unique ID of the client generated by Keycloak. -- `optional_scopes` - (Required) An array of client scope names to attach to this client as optional scopes. - -### Import - -This resource does not support import. Instead of importing, feel free to create this resource -as if it did not already exist on the server. diff --git a/docs-old/resources/keycloak_openid_client_scope.md b/docs-old/resources/keycloak_openid_client_scope.md deleted file mode 100644 index a9ec50ee8..000000000 --- a/docs-old/resources/keycloak_openid_client_scope.md +++ /dev/null @@ -1,49 +0,0 @@ -# keycloak_openid_client_scope - -Allows for creating and managing Keycloak client scopes that can be attached to -clients that use the OpenID Connect protocol. - -Client Scopes can be used to share common protocol and role mappings between multiple -clients within a realm. They can also be used by clients to conditionally request -claims or roles for a user based on the OAuth 2.0 `scope` parameter. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "openid_client_scope" { - realm_id = keycloak_realm.realm.id - name = "groups" - description = "When requested, this scope will map a user's group memberships to a claim" - include_in_token_scope = true - gui_order = 1 -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this client scope belongs to. -- `name` - (Required) The display name of this client scope in the GUI. -- `description` - (Optional) The description of this client scope in the GUI. -- `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users -authenticating to clients with this scope attached. The consent screen will display the string -value of this attribute. -- `include_in_token_scope` - (Optional) When `true`, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. -- `gui_order` - (Optional) Specify order of the client scope in GUI (such as in Consent page) as integer. - -### Import - -Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak -assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_openid_client_scope.openid_client_scope my-realm/8e8f7fe1-df9b-40ed-bed3-4597aa0dac52 -``` diff --git a/docs-old/resources/keycloak_openid_client_service_account_role.md b/docs-old/resources/keycloak_openid_client_service_account_role.md deleted file mode 100644 index af9caba15..000000000 --- a/docs-old/resources/keycloak_openid_client_service_account_role.md +++ /dev/null @@ -1,50 +0,0 @@ -# keycloak_openid_client_service_account_role - -Allows for assigning roles to the service account of an openid client. - -You need to set `service_accounts_enabled` to `true` for the openid client that should be assigned the role. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -// client1 provides a role to other clients -resource "keycloak_openid_client" "client1" { - realm_id = keycloak_realm.realm.id - name = "client1" -} - -resource "keycloak_role" "client1_role" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client1.id - name = "my-client1-role" - description = "A role that client1 provides" -} - -// client2 is assigned the role of client1 -resource "keycloak_openid_client" "client2" { - realm_id = keycloak_realm.realm.id - name = "client2" - service_accounts_enabled = true -} - -resource "keycloak_openid_client_service_account_role" "client2_service_account_role" { - realm_id = keycloak_realm.realm.id - service_account_user_id = keycloak_openid_client.client2.service_account_user_id - client_id = keycloak_openid_client.client1.id - role = keycloak_role.client1_role.name -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm the clients and roles belong to. -- `service_account_user_id` - (Required) The id of the service account that is assigned the role (the service account of the client that "consumes" the role). -- `client_id` - (Required) The id of the client that provides the role. -- `role` - (Required) The name of the role that is assigned. diff --git a/docs-old/resources/keycloak_openid_full_name_protocol_mapper.md b/docs-old/resources/keycloak_openid_full_name_protocol_mapper.md deleted file mode 100644 index 126a9db0d..000000000 --- a/docs-old/resources/keycloak_openid_full_name_protocol_mapper.md +++ /dev/null @@ -1,82 +0,0 @@ -# keycloak_openid_full_name_protocol_mapper - -Allows for creating and managing full name protocol mappers within -Keycloak. - -Full name protocol mappers allow you to map a user's first and last name -to the OpenID Connect `name` claim in a token. Protocol mappers can be defined -for a single client, or they can be defined for a client scope which can -be shared between multiple different clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "full-name-mapper" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_full_name_protocol_mapper" "full_name_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "full-name-mapper" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `add_to_id_token` - (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults to `true`. -- `add_to_userinfo` - (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_full_name_protocol_mapper.full_name_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_group_membership_protocol_mapper.md b/docs-old/resources/keycloak_openid_group_membership_protocol_mapper.md deleted file mode 100644 index 8d39e4560..000000000 --- a/docs-old/resources/keycloak_openid_group_membership_protocol_mapper.md +++ /dev/null @@ -1,88 +0,0 @@ -# keycloak_openid_group_membership_protocol_mapper - -Allows for creating and managing group membership protocol mappers within -Keycloak. - -Group membership protocol mappers allow you to map a user's group memberships -to a claim in a token. Protocol mappers can be defined for a single client, -or they can be defined for a client scope which can be shared between multiple -different clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "group-membership-mapper" - - claim_name = "groups" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "group-membership-mapper" - - claim_name = "groups" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `claim_name` - (Required) The name of the claim to insert into a token. -- `full_path` - (Optional) Indicates whether the full path of the group including its parents will be used. Defaults to `true`. -- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_hardcoded_claim_protocol_mapper.md b/docs-old/resources/keycloak_openid_hardcoded_claim_protocol_mapper.md deleted file mode 100644 index 6f9c162c9..000000000 --- a/docs-old/resources/keycloak_openid_hardcoded_claim_protocol_mapper.md +++ /dev/null @@ -1,91 +0,0 @@ -# keycloak_openid_hardcoded_claim_protocol_mapper - -Allows for creating and managing hardcoded claim protocol mappers within -Keycloak. - -Hardcoded claim protocol mappers allow you to define a claim with a hardcoded -value. Protocol mappers can be defined for a single client, or they can -be defined for a client scope which can be shared between multiple different -clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "hardcoded-claim-mapper" - - claim_name = "foo" - claim_value = "bar" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_hardcoded_claim_protocol_mapper" "hardcoded_claim_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "hardcoded-claim-mapper" - - claim_name = "foo" - claim_value = "bar" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `claim_name` - (Required) The name of the claim to insert into a token. -- `claim_value` - (Required) The hardcoded value of the claim. -- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. -- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_hardcoded_claim_protocol_mapper.hardcoded_claim_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_hardcoded_role_protocol_mapper.md b/docs-old/resources/keycloak_openid_hardcoded_role_protocol_mapper.md deleted file mode 100644 index 645dc4c73..000000000 --- a/docs-old/resources/keycloak_openid_hardcoded_role_protocol_mapper.md +++ /dev/null @@ -1,93 +0,0 @@ -# keycloak_openid_hardcoded_role_protocol_mapper - -Allows for creating and managing hardcoded role protocol mappers within -Keycloak. - -Hardcoded role protocol mappers allow you to specify a single role to -always map to an access token for a client. Protocol mappers can be -defined for a single client, or they can be defined for a client scope -which can be shared between multiple different clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_role" "role" { - realm_id = keycloak_realm.realm.id - name = "my-role" -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "hardcoded-role-mapper" - role_id = keycloak_role.role.id -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_role" "role" { - realm_id = keycloak_realm.realm.id - name = "my-role" -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_hardcoded_role_protocol_mapper" "hardcoded_role_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "hardcoded-role-mapper" - role_id = "${keycloak_role.role.id}" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the - GUI. -- `role_id` - (Required) The ID of the role to map to an access token. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_hardcoded_role_protocol_mapper.hardcoded_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_user_attribute_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_attribute_protocol_mapper.md deleted file mode 100644 index ea23f660a..000000000 --- a/docs-old/resources/keycloak_openid_user_attribute_protocol_mapper.md +++ /dev/null @@ -1,92 +0,0 @@ -# keycloak_openid_user_attribute_protocol_mapper - -Allows for creating and managing user attribute protocol mappers within -Keycloak. - -User attribute protocol mappers allow you to map custom attributes defined -for a user within Keycloak to a claim in a token. Protocol mappers can be -defined for a single client, or they can be defined for a client scope which -can be shared between multiple different clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "test-mapper" - - user_attribute = "foo" - claim_name = "bar" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_user_attribute_protocol_mapper" "user_attribute_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "test-mapper" - - user_attribute = "foo" - claim_name = "bar" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `user_attribute` - (Required) The custom user attribute to map a claim for. -- `claim_name` - (Required) The name of the claim to insert into a token. -- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. -- `multivalued` - (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. -- `add_to_id_token` - (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults to `true`. -- `add_to_userinfo` - (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults to `true`. -- `aggregate_attributes`- (Optional) Indicates whether this attribute is a single value or an array of values. Defaults to `false`. -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_user_attribute_protocol_mapper.user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_user_client_role_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_client_role_protocol_mapper.md deleted file mode 100644 index 990278af6..000000000 --- a/docs-old/resources/keycloak_openid_user_client_role_protocol_mapper.md +++ /dev/null @@ -1,83 +0,0 @@ -# keycloak_openid_user_client_role_protocol_mapper - -Allows for creating and managing user client role protocol mappers within -Keycloak. - -User client role protocol mappers allow you to define a claim containing the list of a client roles. -Protocol mappers can be defined for a single client, or they can -be defined for a client scope which can be shared between multiple different -clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - name = "test client" - enabled = true - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} -resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "user-client-role-mapper" - claim_name = "foo" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} -resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "user-client-role-mapper" - claim_name = "foo" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `claim_name` - (Required) The name of the claim to insert into a token. -- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. -- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. -- `client_id_for_role_mappings` - (Optional) The Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token. -- `client_role_prefix` - (Optional) A prefix for each Client Role. -- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_user_client_role_protocol_mapper.user_client_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_user_client_role_protocol_mapper.user_client_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_user_property_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_property_protocol_mapper.md deleted file mode 100644 index 3ff47b388..000000000 --- a/docs-old/resources/keycloak_openid_user_property_protocol_mapper.md +++ /dev/null @@ -1,91 +0,0 @@ -# keycloak_openid_user_property_protocol_mapper - -Allows for creating and managing user property protocol mappers within -Keycloak. - -User property protocol mappers allow you to map built in properties defined -on the Keycloak user interface to a claim in a token. Protocol mappers can be -defined for a single client, or they can be defined for a client scope which -can be shared between multiple different clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "test-mapper" - - user_property = "email" - claim_name = "email" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_user_property_protocol_mapper" "user_property_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "test-mapper" - - user_property = "email" - claim_name = "email" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `user_property` - (Required) The built in user property (such as email) to map a claim for. -- `claim_name` - (Required) The name of the claim to insert into a token. -- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. -- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_user_property_protocol_mapper.user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_user_realm_role_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_realm_role_protocol_mapper.md deleted file mode 100644 index db7964ceb..000000000 --- a/docs-old/resources/keycloak_openid_user_realm_role_protocol_mapper.md +++ /dev/null @@ -1,90 +0,0 @@ -# keycloak_openid_user_realm_role_protocol_mapper - -Allows for creating and managing user realm role protocol mappers within -Keycloak. - -User realm role protocol mappers allow you to define a claim containing the list of the realm roles. -Protocol mappers can be defined for a single client, or they can -be defined for a client scope which can be shared between multiple different -clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - - name = "test client" - enabled = true - - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} - -resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - name = "user-realm-role-mapper" - - claim_name = "foo" -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" { - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - name = "user-realm-role-mapper" - - claim_name = "foo" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `claim_name` - (Required) The name of the claim to insert into a token. -- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. -- `multivalued` - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to `false`. -- `realm_role_prefix` - (Optional) A prefix for each Realm Role. -- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. -- `add_to_userinfo` - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_openid_user_session_note_protocol_mapper.md b/docs-old/resources/keycloak_openid_user_session_note_protocol_mapper.md deleted file mode 100644 index 19bbd40fd..000000000 --- a/docs-old/resources/keycloak_openid_user_session_note_protocol_mapper.md +++ /dev/null @@ -1,89 +0,0 @@ -# keycloak_openid_user_session_note_protocol_mapper - -Allows for creating and managing user session note protocol mappers within -Keycloak. - -User session note protocol mappers map a custom user session note to a token claim. -Protocol mappers can be defined for a single client, or they can -be defined for a client scope which can be shared between multiple different -clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} -resource "keycloak_openid_client" "openid_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-client" - name = "test client" - enabled = true - access_type = "CONFIDENTIAL" - valid_redirect_uris = [ - "http://localhost:8080/openid-callback" - ] -} -resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_client" { - name = "tf-test-open-id-user-session-note-protocol-mapper-client" - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.openid_client.id - claim_name = "foo" - claim_value_type = "String" - session_note = "bar" - add_to_id_token = true - add_to_access_token = false -} -``` - -### Example Usage (Client Scope) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} -resource "keycloak_openid_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} -resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_client_scope" { - name = "tf-test-open-id-user-session-note-protocol-mapper-client-scope" - realm_id = keycloak_realm.realm.id - client_scope_id = keycloak_openid_client_scope.client_scope.id - claim_name = "foo" - claim_value_type = "String" - session_note = "bar" - add_to_id_token = true - add_to_access_token = false -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `claim_name` - (Required) The name of the claim to insert into a token. -- `claim_value_type` - (Optional) The claim type used when serializing JSON tokens. Can be one of `String`, `JSON`, `long`, `int`, or `boolean`. Defaults to `String`. -- `session_note` - (Optional) String value being the name of stored user session note within the UserSessionModel.note map. -- `session_note_label` - (Optional) **Deprecated** Use `session_note` instead. -- `add_to_id_token` - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to `true`. -- `add_to_access_token` - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to `true`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_openid_user_session_note_protocol_mapper.user_session_note_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_openid_user_session_note_protocol_mapper.user_session_note_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_realm.md b/docs-old/resources/keycloak_realm.md deleted file mode 100644 index d35a295e7..000000000 --- a/docs-old/resources/keycloak_realm.md +++ /dev/null @@ -1,198 +0,0 @@ -# keycloak_realm - -Allows for creating and managing Realms within Keycloak. - -A realm manages a logical collection of users, credentials, roles, and groups. -Users log in to realms and can be federated from multiple sources. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" - enabled = true - display_name = "test realm" - display_name_html = "test realm" - - login_theme = "base" - - access_code_lifespan = "1h" - ssl_required = "external" - password_policy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername" - attributes = { - mycustomAttribute = "myCustomValue" - } - - smtp_server { - host = "smtp.example.com" - from = "example@example.com" - - auth { - username = "tom" - password = "password" - } - } - - internationalization { - supported_locales = [ - "en", - "de", - "es" - ] - default_locale = "en" - } - - security_defenses { - headers { - x_frame_options = "DENY" - content_security_policy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" - content_security_policy_report_only = "" - x_content_type_options = "nosniff" - x_robots_tag = "none" - x_xss_protection = "1; mode=block" - strict_transport_security = "max-age=31536000; includeSubDomains" - } - brute_force_detection { - permanent_lockout = false - max_login_failures = 30 - wait_increment_seconds = 60 - quick_login_check_milli_seconds = 1000 - minimum_quick_login_wait_seconds = 60 - max_failure_wait_seconds = 900 - failure_reset_time_seconds = 43200 - } - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm` - (Required) The name of the realm. This is unique across Keycloak. -- `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. -- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. -- `display_name_html` - (Optional) The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. -- `user_managed_access` - (Optional) When true, users are allowed to manage their own resources. Defaults to `false`. - -##### Login Settings - -The following attributes are all booleans, and can be found in the "Login" tab within the realm settings. -If any of these attributes are not specified, they will default to Keycloak's default settings. - -- `registration_allowed` - (Optional) When true, user registration will be enabled, and a link for registration will be displayed on the login page. -- `registration_email_as_username` - (Optional) When true, the user's email will be used as their username during registration. -- `edit_username_allowed` - (Optional) When true, the username field is editable. -- `reset_password_allowed` - (Optional) When true, a "forgot password" link will be displayed on the login page. -- `remember_me` - (Optional) When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts. -- `verify_email` - (Optional) When true, users are required to verify their email address after registration and after email address changes. -- `login_with_email_allowed` - (Optional) When true, users may log in with their email address. -- `duplicate_emails_allowed` - (Optional) When true, multiple users will be allowed to have the same email address. This attribute must be set to `false` if `login_with_email_allowed` is set to `true`. -- `ssl_required` - (Optional) Can be one of following values: 'none, 'external' or 'all' - -##### Themes - -The following attributes can be used to configure themes for the realm. Custom themes can be specified here. -If any of these attributes are not specified, they will default to Keycloak's default settings. Typically the `keycloak` theme is used by default. - -- `login_theme` - (Optional) Used for the login, forgot password, and registration pages. -- `account_theme` - (Optional) Used for account management pages. -- `admin_theme` - (Optional) Used for the admin console. -- `email_theme` - (Optional) Used for emails that are sent by Keycloak. - -##### Tokens - -The following attributes can be found in the "Tokens" tab within the realm settings. - -- `default_signature_algorithm` - (Optional) Default algorithm used to sign tokens for the realm. -- `revoke_refresh_token` - (Optional) If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused. -- `refresh_token_max_reuse` - (Optional) Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused. - -The attributes below should be specified as [Go duration strings](https://golang.org/pkg/time/#Duration.String). They will default to Keycloak's default settings. - -- `sso_session_idle_timeout` - (Optional) The amount of time a session can be idle before it expires. -- `sso_session_max_lifespan` - (Optional) The maximum amount of time before a session expires regardless of activity. -- `sso_session_idle_timeout_remember_me` - (Optional) The amount of time a "remember me" session can be idle before it expires. -- `sso_session_max_lifespan_remember_me` - (Optional) The maximum amount of time before a "remember me" session expires regardless of activity. -- `offline_session_idle_timeout` - (Optional) The amount of time an offline session can be idle before it expires. -- `offline_session_max_lifespan` - (Optional) The maximum amount of time before an offline session expires regardless of activity. -- `offline_session_max_lifespan_enabled` - (Optional) Enable `offline_session_max_lifespan`. -- `access_token_lifespan` - (Optional) The amount of time an access token can be used before it expires. -- `access_token_lifespan_for_implicit_flow` - (Optional) The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires. -- `access_code_lifespan` - (Optional) The maximum amount of time a client has to finish the authorization code flow. -- `access_code_lifespan_login` - (Optional) The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted. -- `access_code_lifespan_user_action` - (Optional) The maximum amount of time a user has to complete login related actions, such as updating a password. -- `action_token_generated_by_user_lifespan` - (Optional) The maximum time a user has to use a user-generated permit before it expires. -- `action_token_generated_by_admin_lifespan` - (Optional) The maximum time a user has to use an admin-generated permit before it expires. -- `oauth2_device_code_lifespan` - (Optional) The maximum amount of time a client has to finish the device code flow before it expires. - -The attributes below should be specified in seconds. - -- `oauth2_device_polling_interval` - (Optional) The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. - -##### SMTP - -The `smtp_server` block can be used to configure the realm's SMTP settings, which can be found in the "Email" tab in the GUI. -This block supports the following attributes: - -- `host` - (Required) The host of the SMTP server. -- `port` - (Optional) The port of the SMTP server (defaults to 25). -- `from` - (Required) The email address for the sender. -- `from_display_name` - (Optional) The display name of the sender email address. -- `reply_to` - (Optional) The "reply to" email address. -- `reply_to_display_name` - (Optional) The display name of the "reply to" email address. -- `envelope_from` - (Optional) The email address uses for bounces. -- `starttls` - (Optional) When `true`, enables StartTLS. Defaults to `false`. -- `ssl` - (Optional) When `true`, enables SSL. Defaults to `false`. -- `auth` - (Optional) Enables authentication to the SMTP server. This block supports the following attributes: - - `username`- (Required) The SMTP server username. - - `password` - (Required) The SMTP server password. - -##### Internationalization - -Internationalization support can be configured by using the `internationalization` block, which supports the following attributes: - -- `supported_locales` - (Required) A list of [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes) locale codes that the realm should support. -- `default_locale` - (Required) The locale to use by default. This locale code must be present within the `supported_locales` list. - -##### Security Defenses Headers - -Header configuration support for browser security settings and brute force detection. It can be configured trough the`security_defenses` block using the `headers` and the `brute_force_detection` subblocks. - -The `headers` block supports the following attributes: - -- `x_frame_options` - (Optional) Sets the x-frame-option, could be used for prevent pages from being included by non-origin iframes. More Infos could be found in the [RFC7034](https://tools.ietf.org/html/rfc7034) -- `content_security_policy` - (Optional) Sets the Content Security Policy, could be used for prevent pages from being included by non-origin iframes. More Infos could be found in the [W3C-CSP](https://www.w3.org/TR/CSP/) Abstract. -- `content_security_policy_report_only` - (Optional) For testing Content Security Policies. -- `x_content_type_options` - (Optional) Sets the X-Content-Type-Options, could be used for prevent MIME-sniffing a respone away from the declared content-type -- `x_robots_tag` - (Optional) Prevent pages from appearing in search engines. -- `x_xss_protection` - (Optional) This header configures the Cross-site scripting (XSS) filter in your browser. -- `strict_transport_security` - (Optional) The Script-Transport-Security HTTP header tells browsers to always use HTTPS. Maxage could be set and subdomains could be also included. - -The `brute_force_detection` block supports the following attributes: - -- `permanent_lockout` - (Optional) Lock the user permanently when the user exceeds the maximum login failures. -- `max_login_failures` - (Optional) How many failures before wait is triggered. -- `wait_increment_seconds` - (Optional) When failure threshold has been met, how much time should the user be locked out? -- `quick_login_check_milli_seconds` - (Optional) If a failure happens concurrently too quickly, lock out the user. -- `minimum_quick_login_wait_seconds` - (Optional) How long to wait after a quick login failure. -- `max_failure_wait_seconds ` - (Optional) Max. time a user will be locked out. -- `failure_reset_time_seconds` - (Optional) When will failure count be reset? - -#### Atributes - -Map, can be used to add custom attributes to a realm. Or perhaps influence a certain attribute that is not supported in this terraform-provider - -### Attributes Reference - -In addition to the arguments listed above, the following computed attributes are exported: - -- `internal_id` - When importing realms created outside of this terraform provider, they could use generated arbitrary IDs for the technical realm id. Realms created by this provider always use the realm's name for its technical id. - -### Import - -Realms can be imported using their name: - -```bash -$ terraform import keycloak_realm.realm test -``` diff --git a/docs-old/resources/keycloak_realm_events.md b/docs-old/resources/keycloak_realm_events.md deleted file mode 100644 index 5957d876b..000000000 --- a/docs-old/resources/keycloak_realm_events.md +++ /dev/null @@ -1,43 +0,0 @@ -# keycloak_realm_events - -Allows for managing Realm Events settings within Keycloak. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "test" -} - -resource "keycloak_realm_events" "realm_events" { - realm_id = keycloak_realm.realm.id - - events_enabled = true - events_expiration = 3600 - - admin_events_enabled = true - admin_events_details_enabled = true - - # When omitted or left empty, keycloak will enable all event types - enabled_event_types = [ - "LOGIN", - "LOGOUT", - ] - - events_listeners = [ - "jboss-logging", # keycloak enables the 'jboss-logging' event listener by default. - ] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The name of the realm the event settings apply to. -- `admin_events_enabled` - (Optional) When true, admin events are saved to the database, making them available through the admin console. Defaults to `false`. -- `admin_events_details_enabled` - (Optional) When true, saved admin events will included detailed information for create/update requests. Defaults to `false`. -- `events_enabled` - (Optional) When true, events from `enabled_event_types` are saved to the database, making them available through the admin console. Defaults to `false`. -- `events_expiration` - (Optional) The amount of time in seconds events will be saved in the database. Defaults to `0` or never. -- `enabled_event_types` - (Optional) The event types that will be saved to the database. Omitting this field enables all event types. Defaults to `[]` or all event types. -- `events_listeners` - (Optional) The event listeners that events should be sent to. Defaults to `[]` or none. Note that new realms enable the `jboss-logging` listener by default, and this resource will remove that unless it is specified. diff --git a/docs-old/resources/keycloak_role.md b/docs-old/resources/keycloak_role.md deleted file mode 100644 index 08cf55cf8..000000000 --- a/docs-old/resources/keycloak_role.md +++ /dev/null @@ -1,136 +0,0 @@ -# keycloak_role - -Allows for creating and managing roles within Keycloak. - -Roles allow you define privileges within Keycloak and map them to users -and groups. - -### Example Usage (Realm role) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_role" "realm_role" { - realm_id = keycloak_realm.realm.id - name = "my-realm-role" - description = "My Realm Role" -} -``` - -### Example Usage (Client role) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "client" - name = "client" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "client_role" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_openid_client.client.id - name = "my-client-role" - description = "My Client Role" -} -``` - -### Example Usage (Composite role) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -# realm roles - -resource "keycloak_role" "create_role" { - realm_id = keycloak_realm.realm.id - name = "create" -} - -resource "keycloak_role" "read_role" { - realm_id = keycloak_realm.realm.id - name = "read" -} - -resource "keycloak_role" "update_role" { - realm_id = keycloak_realm.realm.id - name = "update" -} - -resource "keycloak_role" "delete_role" { - realm_id = keycloak_realm.realm.id - name = "delete" -} - -# client role - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "client" - name = "client" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "client_role" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_client.client.id - name = "my-client-role" - description = "My Client Role" -} - -resource "keycloak_role" "admin_role" { - realm_id = keycloak_realm.realm.id - name = "admin" - composite_roles = [ - "{keycloak_role.create_role.id}", - "{keycloak_role.read_role.id}", - "{keycloak_role.update_role.id}", - "{keycloak_role.delete_role.id}", - "{keycloak_role.client_role.id}", - ] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this role exists within. -- `client_id` - (Optional) When specified, this role will be created as - a client role attached to the client with the provided ID -- `name` - (Required) The name of the role -- `description` - (Optional) The description of the role -- `composite_roles` - (Optional) When specified, this role will be a - composite role, composed of all roles that have an ID present within - this list. - - -### Import - -Roles can be imported using the format `{{realm_id}}/{{role_id}}`, where -`role_id` is the unique ID that Keycloak assigns to the role. The ID is -not easy to find in the GUI, but it appears in the URL when editing the -role. - -Example: - -```bash -$ terraform import keycloak_role.role my-realm/7e8cf32a-8acb-4d34-89c4-04fb1d10ccad -``` diff --git a/docs-old/resources/keycloak_saml_client.md b/docs-old/resources/keycloak_saml_client.md deleted file mode 100644 index c5e93024c..000000000 --- a/docs-old/resources/keycloak_saml_client.md +++ /dev/null @@ -1,74 +0,0 @@ -# keycloak_saml_client - -Allows for creating and managing Keycloak clients that use the SAML protocol. - -Clients are entities that can use Keycloak for user authentication. Typically, -clients are applications that redirect users to Keycloak for authentication -in order to take advantage of Keycloak's user sessions for SSO. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_saml_client" "saml_client" { - realm_id = keycloak_realm.realm.id - client_id = "test-saml-client" - name = "test-saml-client" - - sign_documents = false - sign_assertions = true - include_authn_statement = true - - signing_certificate = "${file("saml-cert.pem")}" - signing_private_key = "${file("saml-key.pem")}" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this client is attached to. -- `client_id` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. -- `name` - (Optional) The display name of this client in the GUI. -- `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. -- `description` - (Optional) The description of this client in the GUI. -- `include_authn_statement` - (Optional) When `true`, an `AuthnStatement` will be included in the SAML response. -- `sign_documents` - (Optional) When `true`, the SAML document will be signed by Keycloak using the realm's private key. -- `sign_assertions` - (Optional) When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. -- `encrypt_assertions` - (Optional) When `true`, the SAML assertions will be encrypted by Keycloak using the client's public key. -- `client_signature_required` - (Optional) When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signing_certificate` and `signing_private_key`. -- `force_post_binding` - (Optional) When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. -- `front_channel_logout` - (Optional) When `true`, this client will require a browser redirect in order to perform a logout. -- `name_id_format` - (Optional) Sets the Name ID format for the subject. -- `force_name_id_format` - (Optional) Ignore requested NameID subject format and use the one defined in `name_id_format` instead. -- `signature_algorithm` - (Optional) The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA512", or "DSA_SHA1". -- `root_url` - (Optional) When specified, this value is prepended to all relative URLs. -- `valid_redirect_uris` - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. -- `base_url` - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client. -- `master_saml_processing_url` - (Optional) When specified, this URL will be used for all SAML requests. -- `encryption_certificate` - (Optional) If assertions for the client are encrypted, this certificate will be used for encryption. -- `signing_certificate` - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature. -- `signing_private_key` - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature. -- `idp_initiated_sso_url_name` - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO. -- `idp_initiated_sso_relay_state` - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO. -- `assertion_consumer_post_url` - (Optional) SAML POST Binding URL for the client's assertion consumer service (login responses). -- `assertion_consumer_redirect_url` - (Optional) SAML Redirect Binding URL for the client's assertion consumer service (login responses). -- `logout_service_post_binding_url` - (Optional) SAML POST Binding URL for the client's single logout service. -- `logout_service_redirect_binding_url` - (Optional) SAML Redirect Binding URL for the client's single logout service. -- `full_scope_allowed` - (Optional) - Allow to include all roles mappings in the access token - -### Import - -Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak -assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_saml_client.saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352 -``` diff --git a/docs-old/resources/keycloak_saml_client_default_scopes.md b/docs-old/resources/keycloak_saml_client_default_scopes.md deleted file mode 100644 index 7bda6a0e2..000000000 --- a/docs-old/resources/keycloak_saml_client_default_scopes.md +++ /dev/null @@ -1,68 +0,0 @@ -# keycloak_saml_client_default_scopes - -Allows for managing a Keycloak client's default client scopes. A default -scope that is attached to a client using the SAML protocol will -automatically use the protocol mappers defined within that scope to build -claims for this client. - -Note that this resource attempts to be an **authoritative** source over -default scopes for a Keycloak client using the SAML protocol. -This means that once Terraform controls a particular client's default scopes, -it will attempt to remove any default scopes that were attached manually, -and it will attempt to add any default scopes that were detached manually. - -By default, Keycloak sets the `role_list` scope as default scope for every -newly created client. If you create this resource for the first time and -do not include this scope, a following run of `terraform plan` will result -in changes. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_saml_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "test-saml-client" - name = "test-saml-client" - - sign_documents = false - sign_assertions = true - include_authn_statement = true - - signing_certificate = "${file("saml-cert.pem")}" - signing_private_key = "${file("saml-key.pem")}" -} - -resource "keycloak_saml_client_scope" "client_scope" { - realm_id = keycloak_realm.realm.id - name = "test-client-scope" -} - -resource "keycloak_saml_client_default_scopes" "client_default_scopes" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_saml_client.client.id - - default_scopes = [ - "role_list", - keycloak_saml_client_scope.client_scope.name - ] -} - -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this client and scopes exists in. -- `client_id` - (Required) The ID of the client to attach default scopes to. Note that this is the unique ID of the client generated by Keycloak. -- `default_scopes` - (Required) An array of client scope names to attach to this client. - -### Import - -This resource does not support import. Instead of importing, feel free to create this resource -as if it did not already exist on the server. diff --git a/docs-old/resources/keycloak_saml_client_scope.md b/docs-old/resources/keycloak_saml_client_scope.md deleted file mode 100644 index e81a6f91d..000000000 --- a/docs-old/resources/keycloak_saml_client_scope.md +++ /dev/null @@ -1,46 +0,0 @@ -# keycloak_saml_client_scope - -Allows for creating and managing Keycloak client scopes that can be attached to -clients that use the SAML protocol. - -Client Scopes can be used to share common protocol and role mappings between multiple -clients within a realm. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_saml_client_scope" "saml_client_scope" { - realm_id = keycloak_realm.realm.id - name = "groups" - description = "This scope will map a user's group memberships to SAML assertion" - gui_order = 1 -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this client scope belongs to. -- `name` - (Required) The display name of this client scope in the GUI. -- `description` - (Optional) The description of this client scope in the GUI. -- `consent_screen_text` - (Optional) When set, a consent screen will be displayed to users -authenticating to clients with this scope attached. The consent screen will display the string -value of this attribute. -- `gui_order` - (Optional) Specify order of the client scope in GUI (such as in Consent page) as integer. - -### Import - -Client scopes can be imported using the format `{{realm_id}}/{{client_scope_id}}`, where `client_scope_id` is the unique ID that Keycloak -assigns to the client scope upon creation. This value can be found in the URI when editing this client scope in the GUI, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_saml_client_scope.saml_client_scope my-realm/e8a5d115-6985-4de3-a0f5-732e1be4525e -``` diff --git a/docs-old/resources/keycloak_saml_identity_provider.md b/docs-old/resources/keycloak_saml_identity_provider.md deleted file mode 100644 index 9b123a4d1..000000000 --- a/docs-old/resources/keycloak_saml_identity_provider.md +++ /dev/null @@ -1,69 +0,0 @@ -# keycloak_saml_identity_provider - -Allows to create and manage SAML Identity Providers within Keycloak. - -SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard. - -### Example Usage - -```hcl -resource "keycloak_saml_identity_provider" "realm_identity_provider" { - realm = "my-realm" - alias = "my-idp" - entity_id = "https://domain.com/entity_id" - single_sign_on_service_url = "https://domain.com/adfs/ls/" - single_logout_service_url = "https://domain.com/adfs/ls/?wa=wsignout1.0" - backchannel_supported = true - post_binding_response = true - post_binding_logout = true - post_binding_authn_request = true - store_token = false - trust_email = true - force_authn = true -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm` - (Required) The name of the realm. This is unique across Keycloak. -- `alias` - (Optional) The uniq name of identity provider. -- `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. -- `display_name` - (Optional) The display name for the realm that is shown when logging in to the admin console. -- `store_token` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. -- `add_read_token_role_on_create` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. -- `trust_email` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. -- `link_only` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. -- `hide_on_login_page` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. -- `first_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. -- `post_broker_login_flow_alias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. -- `authenticate_by_default` - (Optional) Authenticate users by default. Defaults to `false`. - -#### SAML Configuration - -- `entity_id` - (Required) The Entity ID that will be used to uniquely identify this SAML Service Provider. -- `single_sign_on_service_url` - (Required) The Url that must be used to send authentication requests (SAML AuthnRequest). -- `single_logout_service_url` - (Optional) The Url that must be used to send logout requests. -- `backchannel_supported` - (Optional) Does the external IDP support back-channel logout ?. -- `name_id_policy_format` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. -- `post_binding_response` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. -- `post_binding_authn_request` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. -- `post_binding_logout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. -- `want_assertions_signed` - (Optional) Indicates whether this service provider expects a signed Assertion. -- `want_assertions_encrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. -- `force_authn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. -- `validate_signature` - (Optional) Enable/disable signature validation of SAML responses. -- `signing_certificate` - (Optional) Signing Certificate. -- `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty. -- `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty. - -### Import - -Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. - -Example: - -```bash -$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp -``` diff --git a/docs-old/resources/keycloak_saml_user_attribute_protocol_mapper.md b/docs-old/resources/keycloak_saml_user_attribute_protocol_mapper.md deleted file mode 100644 index 1246dd216..000000000 --- a/docs-old/resources/keycloak_saml_user_attribute_protocol_mapper.md +++ /dev/null @@ -1,60 +0,0 @@ -# keycloak_saml_user_attribute_protocol_mapper - -Allows for creating and managing user attribute protocol mappers for -SAML clients within Keycloak. - -SAML user attribute protocol mappers allow you to map custom attributes defined -for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers -can be defined for a single client, or they can be defined for a client scope which -can be shared between multiple different clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_saml_client" "saml_client" { - realm_id = keycloak_realm.test.id - client_id = "test-saml-client" - name = "test-saml-client" -} - -resource "keycloak_saml_user_attribute_protocol_mapper" "saml_user_attribute_mapper" { - realm_id = keycloak_realm.test.id - client_id = keycloak_saml_client.saml_client.id - name = "displayname-user-attribute-mapper" - - user_attribute = "displayName" - saml_attribute_name = "displayName" - saml_attribute_name_format = "Unspecified" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `user_attribute` - (Required) The custom user attribute to map. -- `friendly_name` - (Optional) An optional human-friendly name for this attribute. -- `saml_attribute_name` - (Required) The name of the SAML attribute. -- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_saml_user_attribute_protocol_mapper.saml_user_attribute_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_saml_user_property_protocol_mapper.md b/docs-old/resources/keycloak_saml_user_property_protocol_mapper.md deleted file mode 100644 index 1d8a16a82..000000000 --- a/docs-old/resources/keycloak_saml_user_property_protocol_mapper.md +++ /dev/null @@ -1,60 +0,0 @@ -# keycloak_saml_user_property_protocol_mapper - -Allows for creating and managing user property protocol mappers for -SAML clients within Keycloak. - -SAML user property protocol mappers allow you to map properties of the Keycloak -user model to an attribute in a SAML assertion. Protocol mappers -can be defined for a single client, or they can be defined for a client scope which -can be shared between multiple different clients. - -### Example Usage (Client) - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_saml_client" "saml_client" { - realm_id = keycloak_realm.test.id - client_id = "test-saml-client" - name = "test-saml-client" -} - -resource "keycloak_saml_user_property_protocol_mapper" "saml_user_property_mapper" { - realm_id = keycloak_realm.test.id - client_id = keycloak_saml_client.saml_client.id - name = "email-user-property-mapper" - - user_property = "email" - saml_attribute_name = "email" - saml_attribute_name_format = "Unspecified" -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this protocol mapper exists within. -- `client_id` - (Required if `client_scope_id` is not specified) The SAML client this protocol mapper is attached to. -- `client_scope_id` - (Required if `client_id` is not specified) The SAML client scope this protocol mapper is attached to. -- `name` - (Required) The display name of this protocol mapper in the GUI. -- `user_property` - (Required) The property of the Keycloak user model to map. -- `friendly_name` - (Optional) An optional human-friendly name for this attribute. -- `saml_attribute_name` - (Required) The name of the SAML attribute. -- `saml_attribute_name_format` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`. - -### Import - -Protocol mappers can be imported using one of the following formats: -- Client: `{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}` -- Client Scope: `{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}` - -Example: - -```bash -$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -$ terraform import keycloak_saml_user_property_protocol_mapper.saml_user_property_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 -``` diff --git a/docs-old/resources/keycloak_user.md b/docs-old/resources/keycloak_user.md deleted file mode 100644 index 08c450a5a..000000000 --- a/docs-old/resources/keycloak_user.md +++ /dev/null @@ -1,77 +0,0 @@ -# keycloak_user - -Allows for creating and managing Users within Keycloak. - -This resource was created primarily to enable the acceptance tests for the `keycloak_group` resource. -Creating users within Keycloak is not recommended. Instead, users should be federated from external sources -by configuring user federation providers or identity providers. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_user" "user" { - realm_id = keycloak_realm.realm.id - username = "bob" - enabled = true - - email = "bob@domain.com" - first_name = "Bob" - last_name = "Bobson" -} - -resource "keycloak_user" "user_with_initial_password" { - realm_id = keycloak_realm.realm.id - username = "alice" - enabled = true - - email = "alice@domain.com" - first_name = "Alice" - last_name = "Aliceberg" - - attributes = { - foo = "bar" - } - - initial_password { - value = "some password" - temporary = true - } -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this user belongs to. -- `username` - (Required) The unique username of this user. -- `initial_password` (Optional) When given, the user's initial password will be set. - This attribute is only respected during initial user creation. - - `value` (Required) The initial password. - - `temporary` (Optional) If set to `true`, the initial password is set up for renewal on first use. Default to `false`. -- `enabled` - (Optional) When false, this user cannot log in. Defaults to `true`. -- `email` - (Optional) The user's email. -- `email_verified` - (Optional) Whether the email address was validated or not. Default to `false`. -- `first_name` - (Optional) The user's first name. -- `last_name` - (Optional) The user's last name. -- `attributes` - (Optional) A map representing attributes for the user -- `federated_identity` - (Optional) When specified, the user will be linked to a federated identity provider. Refer to the [federated user example](https://github.com/mrparkers/terraform-provider-keycloak/blob/master/example/federated_user_example.tf) for more details. - - `identity_provider` - (Required) The name of the identity provider - - `user_id` - (Required) The ID of the user defined in the identity provider - - `user_name` - (Required) The user name of the user defined in the identity provider - -### Import - -Users can be imported using the format `{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that Keycloak -assigns to the user upon creation. This value can be found in the GUI when editing the user. - -Example: - -```bash -$ terraform import keycloak_user.user my-realm/60c3f971-b1d3-4b3a-9035-d16d7540a5e4 -``` diff --git a/docs-old/resources/keycloak_user_roles.md b/docs-old/resources/keycloak_user_roles.md deleted file mode 100644 index 1b88a2684..000000000 --- a/docs-old/resources/keycloak_user_roles.md +++ /dev/null @@ -1,88 +0,0 @@ -# keycloak_user_roles - -Allows you to manage roles assigned to a Keycloak user. - -Note that this resource attempts to be an **authoritative** source over -user roles. When this resource takes control over a user's roles, -roles that are manually assigned to the user will be removed, and roles -that are manually removed from the user will be assigned upon the next run -of `terraform apply`. - -Note that when assigning composite roles to a user, you may see a -non-empty plan following a `terraform apply` if you assign a role and a -composite that includes that role to the same user. - -### Example Usage - -```hcl -resource "keycloak_realm" "realm" { - realm = "my-realm" - enabled = true -} - -resource "keycloak_role" "realm_role" { - realm_id = keycloak_realm.realm.id - name = "my-realm-role" - description = "My Realm Role" -} - -resource "keycloak_openid_client" "client" { - realm_id = keycloak_realm.realm.id - client_id = "client" - name = "client" - - enabled = true - - access_type = "BEARER-ONLY" -} - -resource "keycloak_role" "client_role" { - realm_id = keycloak_realm.realm.id - client_id = keycloak_client.client.id - name = "my-client-role" - description = "My Client Role" -} - -resource "keycloak_user" "user" { - realm_id = keycloak_realm.realm.id - username = "bob" - enabled = true - - email = "bob@domain.com" - first_name = "Bob" - last_name = "Bobson" -} - -resource "keycloak_user_roles" "user_roles" { - realm_id = keycloak_realm.realm.id - user_id = keycloak_user.user.id - - role_ids = [ - keycloak_role.realm_role.id, - keycloak_role.client_role.id, - ] -} -``` - -### Argument Reference - -The following arguments are supported: - -- `realm_id` - (Required) The realm this user exists in. -- `user_id` - (Required) The ID of the user this resource should - manage roles for. -- `role_ids` - (Required) A list of role IDs to map to the user - -### Import - -This resource can be imported using the format -`{{realm_id}}/{{user_id}}`, where `user_id` is the unique ID that -Keycloak assigns to the user upon creation. This value can be found in -the GUI when editing the user, and is typically a GUID. - -Example: - -```bash -$ terraform import keycloak_user_roles.user_roles my-realm/b0ae6924-1bd5-4655-9e38-dae7c5e42924 -``` - diff --git a/docs/resources/openid_client.md b/docs/resources/openid_client.md index ca301a77d..69854bda7 100644 --- a/docs/resources/openid_client.md +++ b/docs/resources/openid_client.md @@ -62,8 +62,8 @@ resource "keycloak_openid_client" "openid_client" { - `implicit_flow_enabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`. - `direct_access_grants_enabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`. - `service_accounts_enabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`. -- `frontchannel_logout_enabled` - (Optional) When `true`, Frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. -- `frontchannel_logout_url` - (Optional) Frontchannel logout url. `frontchannel_logout_enabled` must be `true`. +- `frontchannel_logout_enabled` - (Optional) When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`. +- `frontchannel_logout_url` - (Optional) The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`. - `valid_redirect_uris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled` is set to `true`. diff --git a/mkdocs.yml b/mkdocs.yml deleted file mode 100644 index 1334cb7bb..000000000 --- a/mkdocs.yml +++ /dev/null @@ -1,60 +0,0 @@ -site_name: "Terraform Provider: Keycloak" -site_url: https://mrparkers.github.io/terraform-provider-keycloak/ -repo_url: https://github.com/mrparkers/terraform-provider-keycloak -nav: -- Getting Started: index.md -- Data Sources: - - keycloak_group: data_sources/keycloak_group.md - - keycloak_openid_client: data_sources/keycloak_openid_client.md - - keycloak_realm: data_sources/keycloak_realm.md - - keycloak_realm_keys: data_sources/keycloak_realm_keys.md - - keycloak_role: data_sources/keycloak_role.md - - keycloak_saml_client_installation_provider: data_sources/keycloak_saml_client_installation_provider.md -- Resources: - - keycloak_realm: resources/keycloak_realm.md - - keycloak_realm_events: resources/keycloak_realm_events.md - - keycloak_role: resources/keycloak_role.md - - keycloak_user: resources/keycloak_user.md - - keycloak_user_roles: resources/keycloak_user_roles.md - - keycloak_group: resources/keycloak_group.md - - keycloak_group_memberships: resources/keycloak_group_memberships.md - - keycloak_group_roles: resources/keycloak_group_roles.md - - keycloak_default_groups: resources/keycloak_default_groups.md - - keycloak_openid_client: resources/keycloak_openid_client.md - - keycloak_openid_client_scope: resources/keycloak_openid_client_scope.md - - keycloak_openid_client_default_scopes: resources/keycloak_openid_client_default_scopes.md - - keycloak_openid_client_optional_scopes: resources/keycloak_openid_client_optional_scopes.md - - keycloak_openid_user_attribute_protocol_mapper: resources/keycloak_openid_user_attribute_protocol_mapper.md - - keycloak_openid_user_property_protocol_mapper: resources/keycloak_openid_user_property_protocol_mapper.md - - keycloak_openid_group_membership_protocol_mapper: resources/keycloak_openid_group_membership_protocol_mapper.md - - keycloak_openid_hardcoded_claim_protocol_mapper: resources/keycloak_openid_hardcoded_claim_protocol_mapper.md - - keycloak_openid_full_name_protocol_mapper: resources/keycloak_openid_full_name_protocol_mapper.md - - keycloak_openid_audience_protocol_mapper: resources/keycloak_openid_audience_protocol_mapper.md - - keycloak_openid_hardcoded_role_protocol_mapper: resources/keycloak_openid_hardcoded_role_protocol_mapper.md - - keycloak_openid_user_realm_role_protocol_mapper: resources/keycloak_openid_user_realm_role_protocol_mapper.md - - keycloak_openid_user_client_role_protocol_mapper: resources/keycloak_openid_user_client_role_protocol_mapper.md - - keycloak_openid_user_session_note_protocol_mapper: resources/keycloak_openid_user_session_note_protocol_mapper.md - - keycloak_openid_client_service_account_role: resources/keycloak_openid_client_service_account_role.md - - keycloak_saml_client: resources/keycloak_saml_client.md - - keycloak_saml_user_attribute_protocol_mapper: resources/keycloak_saml_user_attribute_protocol_mapper.md - - keycloak_saml_user_property_protocol_mapper: resources/keycloak_saml_user_property_protocol_mapper.md - - keycloak_saml_client_default_scopes: resources/keycloak_saml_client_default_scopes.md - - keycloak_saml_client_scope: resources/keycloak_saml_client_scope.md - - keycloak_generic_client_protocol_mapper: resources/keycloak_generic_client_protocol_mapper.md - - keycloak_ldap_user_federation: resources/keycloak_ldap_user_federation.md - - keycloak_ldap_full_name_mapper: resources/keycloak_ldap_full_name_mapper.md - - keycloak_ldap_group_mapper: resources/keycloak_ldap_group_mapper.md - - keycloak_ldap_hardcoded_role_mapper: resources/keycloak_ldap_hardcoded_role_mapper.md - - keycloak_ldap_msad_user_account_control_mapper: resources/keycloak_ldap_msad_user_account_control_mapper.md - - keycloak_ldap_msad_lds_user_account_control_mapper: resources/keycloak_ldap_msad_lds_user_account_control_mapper.md - - keycloak_ldap_user_attribute_mapper: resources/keycloak_ldap_user_attribute_mapper.md - - keycloak_custom_user_federation: resources/keycloak_custom_user_federation.md - - keycloak_saml_identity_provider: resources/keycloak_saml_identity_provider.md - - keycloak_oidc_identity_provider: resources/keycloak_oidc_identity_provider.md - - keycloak_generic_client_role_mapper: resources/keycloak_generic_client_role_mapper.md - - keycloak_attribute_importer_identity_provider_mapper: resources/keycloak_attribute_importer_identity_provider_mapper.md - - keycloak_authentication_execution: resources/keycloak_authentication_execution.md - - keycloak_authentication_execution_config: resources/keycloak_authentication_execution_config.md - - keycloak_identity_provider_token_exchange_scope_permission: resources/keycloak_identity_provider_token_exchange_scope_permission.md -theme: readthedocs -extra_css: [index.css] diff --git a/provider/resource_keycloak_ldap_user_federation_test.go b/provider/resource_keycloak_ldap_user_federation_test.go index b1d9a26fc..628fd28d9 100644 --- a/provider/resource_keycloak_ldap_user_federation_test.go +++ b/provider/resource_keycloak_ldap_user_federation_test.go @@ -160,6 +160,7 @@ func generateRandomLdapKerberos(enabled bool) *keycloak.LdapUserFederation { EvictionDay: &evictionDay, EvictionHour: &evictionHour, EvictionMinute: &evictionMinute, + EditMode: "WRITABLE", } } @@ -274,6 +275,7 @@ func TestAccKeycloakLdapUserFederation_basicUpdateAll(t *testing.T) { EvictionDay: &evictionDay, EvictionHour: &evictionHour, EvictionMinute: &evictionMinute, + EditMode: "WRITABLE", } evictionDay = acctest.RandIntRange(0, 6) @@ -312,6 +314,7 @@ func TestAccKeycloakLdapUserFederation_basicUpdateAll(t *testing.T) { EvictionDay: &evictionDay, EvictionHour: &evictionHour, EvictionMinute: &evictionMinute, + EditMode: "WRITABLE", } resource.Test(t, resource.TestCase{ @@ -649,6 +652,7 @@ resource "keycloak_ldap_user_federation" "openldap" { bind_credential = "%s" search_scope = "%s" + edit_mode = "%s" start_tls = %t use_password_modify_extended_op = %t validate_password_policy = %t @@ -677,7 +681,7 @@ resource "keycloak_ldap_user_federation" "openldap" { eviction_minute = %d } } - `, testAccRealmUserFederation.Realm, ldap.Name, ldap.Enabled, ldap.UsernameLDAPAttribute, ldap.RdnLDAPAttribute, ldap.UuidLDAPAttribute, arrayOfStringsForTerraformResource(ldap.UserObjectClasses), ldap.ConnectionUrl, ldap.UsersDn, ldap.BindDn, ldap.BindCredential, ldap.SearchScope, ldap.StartTls, ldap.UsePasswordModifyExtendedOp, ldap.ValidatePasswordPolicy, ldap.TrustEmail, ldap.UseTruststoreSpi, ldap.ConnectionTimeout, ldap.ReadTimeout, ldap.Pagination, ldap.BatchSizeForSync, ldap.FullSyncPeriod, ldap.ChangedSyncPeriod, ldap.ServerPrincipal, ldap.UseKerberosForPasswordAuthentication, ldap.KeyTab, ldap.KerberosRealm, ldap.CachePolicy, ldap.MaxLifespan, *ldap.EvictionDay, *ldap.EvictionHour, *ldap.EvictionMinute) + `, testAccRealmUserFederation.Realm, ldap.Name, ldap.Enabled, ldap.UsernameLDAPAttribute, ldap.RdnLDAPAttribute, ldap.UuidLDAPAttribute, arrayOfStringsForTerraformResource(ldap.UserObjectClasses), ldap.ConnectionUrl, ldap.UsersDn, ldap.BindDn, ldap.BindCredential, ldap.SearchScope, ldap.EditMode, ldap.StartTls, ldap.UsePasswordModifyExtendedOp, ldap.ValidatePasswordPolicy, ldap.TrustEmail, ldap.UseTruststoreSpi, ldap.ConnectionTimeout, ldap.ReadTimeout, ldap.Pagination, ldap.BatchSizeForSync, ldap.FullSyncPeriod, ldap.ChangedSyncPeriod, ldap.ServerPrincipal, ldap.UseKerberosForPasswordAuthentication, ldap.KeyTab, ldap.KerberosRealm, ldap.CachePolicy, ldap.MaxLifespan, *ldap.EvictionDay, *ldap.EvictionHour, *ldap.EvictionMinute) } func testKeycloakLdapUserFederation_basicWithAttrValidation(attr, ldap, val string) string { diff --git a/provider/resource_keycloak_openid_client_test.go b/provider/resource_keycloak_openid_client_test.go index 259b27a8e..f4d062829 100644 --- a/provider/resource_keycloak_openid_client_test.go +++ b/provider/resource_keycloak_openid_client_test.go @@ -1417,8 +1417,8 @@ resource "keycloak_openid_client" "client" { realm_id = data.keycloak_realm.realm.id access_type = "CONFIDENTIAL" - frontchannel_logout_url = "%s" - frontchannel_logout_enabled = %t + frontchannel_logout_url = "%s" + frontchannel_logout_enabled = %t } `, testAccRealm.Realm, clientId, frontchannelLogoutUrl, frontchannelLogoutEnabled) }