### Import Example (Client) Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_group_membership_protocol_mapper.md This example demonstrates how to import an existing group membership protocol mapper associated with a client. ```bash $ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ``` -------------------------------- ### keycloak_openid_client_permissions Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_permissions.md Example of how to create an OpenID client and then manage its view scope permissions using a user policy. ```hcl resource "keycloak_realm" "realm" { realm = "realm" } resource "keycloak_openid_client" "my_openid_client" { realm_id = keycloak_realm.realm.id name = "my_openid_client" client_id = "my_openid_client" client_secret = "secret" access_type = "CONFIDENTIAL" standard_flow_enabled = true valid_redirect_uris = [ "http://localhost:8080/*", ] } data "keycloak_openid_client" "realm_management" { realm_id = keycloak_realm.realm.id client_id = "realm-management" } resource keycloak_user test { realm_id = keycloak_realm.realm.id username = "test-user" email = "test-user@fakedomain.com" first_name = "Testy" last_name = "Tester" } resource keycloak_openid_client_user_policy test { resource_server_id = data.keycloak_openid_client.realm_management.id realm_id = keycloak_realm.realm.id name = "client_user_policy_test" users = [ keycloak_user.test.id ] logic = "POSITIVE" decision_strategy = "UNANIMOUS" depends_on = [ keycloak_openid_client.my_openid_client ] } resource "keycloak_openid_client_permissions" "my_permission" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.my_openid_client.id view_scope { policies = [ keycloak_openid_client_user_policy.test.id, ] description = "my description" decision_strategy = "UNANIMOUS" } } ``` -------------------------------- ### Onboard new users with Keycloak Workflow Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/workflow.md This example mirrors the official Keycloak workflow guide. The workflow sends a welcome notification, requires a password update after 30 days, and then restarts the workflow. It triggers on every user_created event. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_workflow" "onboarding" { realm = keycloak_realm.realm.id name = "onboarding-new-users" on = "user_created" enabled = true step { uses = "notify-user" config = { message = <<-EOT

Dear $${user.firstName} $${user.lastName},

Welcome to $${realm.displayName}!

Best regards,
The Keycloak Team

EOT } } step { uses = "set-user-required-action" after = "2592000000" # 30 days in milliseconds config = { action = "UPDATE_PASSWORD" } } # restart is a workflow control-flow step (loop back to step 1) step { uses = "restart" config = { position = "1" } } } ``` -------------------------------- ### Import Example (Client Scope) Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_group_membership_protocol_mapper.md This example demonstrates how to import an existing group membership protocol mapper associated with a client scope. ```bash $ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4 ``` -------------------------------- ### Build and Run Example Project for Debugging Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/README.md This sequence of commands builds the example project for debugging and then applies it using Terraform. Ensure the local environment is set up using 'make local' prior to running these commands. ```bash make build-example cd example terraform init terraform plan -out tfplan terraform apply tfplan rm tfplan ``` -------------------------------- ### Example Usage: Realm Role to Client Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_role_mapper.md This example demonstrates how to map a realm role to a client. Ensure the realm, client, and role resources are defined. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client" "client" { realm_id = keycloak_realm.realm.id client_id = "client" name = "client" enabled = true access_type = "BEARER-ONLY" } resource "keycloak_role" "realm_role" { realm_id = keycloak_realm.realm.id name = "my-realm-role" description = "My Realm Role" } resource "keycloak_generic_client_role_mapper" "client_role_mapper" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client.id role_id = keycloak_role.realm_role.id } ``` -------------------------------- ### keycloak_realm_user_profile Resource Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/realm_user_profile.md Example usage for creating a realm user profile resource. ```APIDOC ## keycloak_realm_user_profile Resource Example ### Description Example usage for creating a realm user profile resource. ### Method Not applicable (Terraform resource configuration) ### Endpoint Not applicable (Terraform resource configuration) ### Parameters #### Path Parameters - None #### Query Parameters - None #### Request Body - `realm_id` (string) - Required - The ID of the realm the user profile applies to. - `unmanaged_attribute_policy` (string) - Optional - Unmanaged attributes are user attributes not explicitly defined in the user profile configuration. By default, unmanaged attributes are not enabled. Value could be one of `DISABLED`, `ENABLED`, `ADMIN_EDIT` or `ADMIN_VIEW`. If value is not specified it means `DISABLED`. - `attribute` (list of objects) - Optional - An ordered list of attributes. - `name` (string) - Required - The name of the attribute. - `display_name` (string) - Optional - The display name of the attribute. - `default_value` (string) - Optional - The default value of the attribute. Only applied with Keycloak 26.4.0 or later. - `multi_valued` (boolean) - Optional - If the attribute supports multiple values. Defaults to `false`. - `group` (string) - Optional - The group that the attribute belong to. - `enabled_when_scope` (list of strings) - Optional - A list of scopes. The attribute will only be enabled when these scopes are requested by clients. - `required_for_roles` (list of strings) - Optional - A list of roles for which the attribute will be required. - `required_for_scopes` (list of strings) - Optional - A list of scopes for which the attribute will be required. - `permissions` (object) - Optional - The permissions configuration information. - `edit` (list of strings) - Optional - A list of profiles that will be able to edit the attribute. One of `admin`, `user`. - `view` (list of strings) - Optional - A list of profiles that will be able to view the attribute. One of `admin`, `user`. - `validator` (list of objects) - Optional - A list of validators for the attribute. - `name` (string) - Required - The name of the validator. - `config` (map of strings) - Optional - A map defining the configuration of the validator. Values can be a String or a json object. - `annotations` (map of strings) - Optional - A map of annotations for the attribute. Values can be a String or a json object. - `group` (list of objects) - Optional - A list of groups. - `name` (string) - Required - The name of the group. - `display_header` (string) - Optional - The display header of the group. - `display_description` (string) - Optional - The display description of the group. - `annotations` (map of strings) - Optional - A map of annotations for the group. Values can be a String or a json object. ### Request Example ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" } resource "keycloak_realm_user_profile" "userprofile" { realm_id = keycloak_realm.my_realm.id unmanaged_attribute_policy = "ENABLED" attribute { name = "field1" display_name = "Field 1" default_value = "default field1 value" group = "group1" multi_valued = false enabled_when_scope = ["offline_access"] required_for_roles = ["user"] required_for_scopes = ["offline_access"] permissions { view = ["admin", "user"] edit = ["admin", "user"] } validator { name = "person-name-prohibited-characters" } validator { name = "pattern" config = { pattern = "^[a-z0-9 ]+$" error-message = "Nope" } } annotations = { foo = "bar" } } attribute { name = "field2" validator { name = "options" config = { options = jsonencode ( [ "opt1" ]) } } annotations = { foo = jsonencode ( {"key": "val" } ) } } group { name = "group1" display_header = "Group 1" display_description = "A first group" annotations = { foo = "bar" foo2 = jsonencode ( { "key": "val" } ) } } group { name = "group2" } } ``` ### Response #### Success Response (200) - Not applicable (Terraform resource configuration) #### Response Example - Not applicable (Terraform resource configuration) ``` -------------------------------- ### keycloak_openid_client_default_scopes Resource Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_default_scopes.md Example usage for the keycloak_openid_client_default_scopes resource, demonstrating how to manage default scopes for an OpenID Connect client. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client" "client" { realm_id = keycloak_realm.realm.id client_id = "test-client" access_type = "CONFIDENTIAL" } resource "keycloak_openid_client_scope" "client_scope" { realm_id = keycloak_realm.realm.id name = "test-client-scope" } resource "keycloak_openid_client_default_scopes" "client_default_scopes" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client.id default_scopes = [ "profile", "email", "roles", "web-origins", keycloak_openid_client_scope.client_scope.name, ] } ``` -------------------------------- ### Example Usage of keycloak_users_admin_permissions Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/users_admin_permissions.md This example demonstrates how to configure the `keycloak_realm` to enable admin permissions, set up necessary data sources and policies, and then define two `keycloak_users_admin_permissions` resources for different administrative roles. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" admin_permissions_enabled = true } data "keycloak_openid_client" "admin_permissions" { realm_id = keycloak_realm.realm.id client_id = "admin-permissions" } resource "keycloak_group" "admins" { realm_id = keycloak_realm.realm.id name = "admins" } resource "keycloak_group" "auditors" { realm_id = keycloak_realm.realm.id name = "auditors" } resource "keycloak_openid_client_group_policy" "admins_policy" { realm_id = keycloak_realm.realm.id resource_server_id = data.keycloak_openid_client.admin_permissions.id name = "admins-policy" groups { id = keycloak_group.admins.id path = keycloak_group.admins.path extend_children = false } logic = "POSITIVE" decision_strategy = "UNANIMOUS" } resource "keycloak_openid_client_group_policy" "auditors_policy" { realm_id = keycloak_realm.realm.id resource_server_id = data.keycloak_openid_client.admin_permissions.id name = "auditors-policy" groups { id = keycloak_group.auditors.id path = keycloak_group.auditors.path extend_children = false } logic = "POSITIVE" decision_strategy = "UNANIMOUS" } # One permission per logical role — each is a separate Terraform resource. resource "keycloak_users_admin_permissions" "admins_manage_users" { realm_id = keycloak_realm.realm.id name = "admins-can-manage-users" description = "Admins can view and manage all users" decision_strategy = "UNANIMOUS" scopes = ["view", "manage"] policies = [keycloak_openid_client_group_policy.admins_policy.id] } resource "keycloak_users_admin_permissions" "auditors_view_users" { realm_id = keycloak_realm.realm.id name = "auditors-can-view-users" description = "Auditors can view all users" scopes = ["view"] policies = [keycloak_openid_client_group_policy.auditors_policy.id] } ``` -------------------------------- ### Example Usage of keycloak_openid_client_authorization_permission Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_authorization_permission.md This example demonstrates how to configure a Keycloak realm, an OpenID Connect client, and then define an authorization permission for that client. It includes setting up policies, resources, and scopes. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource keycloak_openid_client test { client_id = "client_id" realm_id = keycloak_realm.realm.id access_type = "CONFIDENTIAL" service_accounts_enabled = true authorization { policy_enforcement_mode = "ENFORCING" } } data keycloak_openid_client_authorization_policy default { realm_id = keycloak_realm.realm.id resource_server_id = keycloak_openid_client.test.resource_server_id name = "default" } resource keycloak_openid_client_authorization_resource test { resource_server_id = keycloak_openid_client.test.resource_server_id name = "resource_name" realm_id = keycloak_realm.realm.id uris = [ "/endpoint/*" ] } resource keycloak_openid_client_authorization_scope test { resource_server_id = keycloak_openid_client.test.resource_server_id name = "scope_name" realm_id = keycloak_realm.realm.id } resource keycloak_openid_client_authorization_permission test { resource_server_id = keycloak_openid_client.test.resource_server_id realm_id = keycloak_realm.realm.id name = "permission_name" policies = [data.keycloak_openid_client_authorization_policy.default.id] resources = [keycloak_openid_client_authorization_resource.test.id] } ``` -------------------------------- ### Example Usage of keycloak_attribute_to_role_identity_provider_mapper Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/attribute_to_role_identity_provider_mapper.md This example demonstrates how to configure the keycloak_attribute_to_role_identity_provider_mapper resource. Ensure `extra_config` with `syncMode` is included for Keycloak 10 and later. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_oidc_identity_provider" "oidc" { realm = keycloak_realm.realm.id alias = "oidc" authorization_url = "https://example.com/auth" token_url = "https://example.com/token" client_id = "example_id" client_secret = "example_token" default_scopes = "openid random profile" } resource "keycloak_role" "realm_role" { realm_id = keycloak_realm.realm.id name = "my-realm-role" description = "My Realm Role" } resource "keycloak_attribute_to_role_identity_provider_mapper" "oidc" { realm = keycloak_realm.realm.id name = "role-attribute" identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias role = "my-realm-role" claim_name = "my-claim" claim_value = "my-value" # extra_config with syncMode is required in Keycloak 10+ extra_config = { syncMode = "INHERIT" } } ``` -------------------------------- ### Example Usage of keycloak_openid_client_admin_permissions Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_admin_permissions.md This example demonstrates how to configure a realm with admin permissions enabled, define a group policy, and then create specific client admin permissions. It shows how to target a single client with multiple scopes and how to create a permission that applies to all clients in the realm. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" admin_permissions_enabled = true } data "keycloak_openid_client" "admin_permissions" { realm_id = keycloak_realm.realm.id client_id = "admin-permissions" } resource "keycloak_openid_client" "my_client" { realm_id = keycloak_realm.realm.id client_id = "my-client" access_type = "CONFIDENTIAL" } resource "keycloak_group" "admins" { realm_id = keycloak_realm.realm.id name = "admins" } resource "keycloak_openid_client_group_policy" "admins_policy" { realm_id = keycloak_realm.realm.id resource_server_id = data.keycloak_openid_client.admin_permissions.id name = "admins-policy" groups { id = keycloak_group.admins.id path = keycloak_group.admins.path extend_children = false } logic = "POSITIVE" decision_strategy = "UNANIMOUS" } # Permission targeting a specific client with multiple scopes. resource "keycloak_openid_client_admin_permissions" "admins_manage_my_client" { realm_id = keycloak_realm.realm.id name = "admins-manage-my-client" description = "Admins can view and manage my-client" decision_strategy = "UNANIMOUS" client_ids = [keycloak_openid_client.my_client.id] scopes = ["view", "manage"] policies = [keycloak_openid_client_group_policy.admins_policy.id] } # Permission targeting ALL clients in the realm (client_ids omitted). resource "keycloak_openid_client_admin_permissions" "admins_view_all_clients" { realm_id = keycloak_realm.realm.id name = "admins-can-view-all-clients" # client_ids omitted → applies to all clients in the realm scopes = ["view"] policies = [keycloak_openid_client_group_policy.admins_policy.id] } ``` -------------------------------- ### keycloak_generic_client_protocol_mapper Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_protocol_mapper.md This example shows how to configure a generic SAML protocol mapper for a client. Ensure the realm and client resources are defined prior to this. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_saml_client" "saml_client" { realm_id = keycloak_realm.realm.id client_id = "test-client" } resource "keycloak_generic_client_protocol_mapper" "saml_hardcode_attribute_mapper" { realm_id = keycloak_realm.realm.id client_id = keycloak_saml_client.saml_client.id name = "test-mapper" protocol = "saml" protocol_mapper = "saml-hardcode-attribute-mapper" config = { "attribute.name" = "name" "attribute.nameformat" = "Basic" "attribute.value" = "value" "friendly.name" = "display name" } } ``` -------------------------------- ### Example: Map Realm Role to Client Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_role_mapper.md This example demonstrates how to map a realm role to an OpenID Connect client. Ensure the realm and client resources are defined prior to this mapping. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client" "client" { realm_id = keycloak_realm.realm.id client_id = "client" name = "client" enabled = true access_type = "BEARER-ONLY" } resource "keycloak_role" "realm_role" { realm_id = keycloak_realm.realm.id name = "my-realm-role" description = "My Realm Role" } resource "keycloak_generic_role_mapper" "client_role_mapper" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client.id role_id = keycloak_role.realm_role.id } ``` -------------------------------- ### Example Usage (Client) Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_user_session_note_protocol_mapper.md Configure a user session note protocol mapper for a specific OpenID client. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client" "openid_client" { realm_id = keycloak_realm.realm.id client_id = "client" name = "client" enabled = true access_type = "CONFIDENTIAL" valid_redirect_uris = [ "http://localhost:8080/openid-callback" ] } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.openid_client.id name = "user-session-note-mapper" claim_name = "foo" claim_value_type = "String" session_note = "bar" } ``` -------------------------------- ### keycloak_group_permissions Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/group_permissions.md This example demonstrates how to configure the keycloak_group_permissions resource to manage permissions for a specific group, including managing members. ```hcl resource "keycloak_realm" "realm" { realm = "my_realm" } data "keycloak_openid_client" "realm_management" { realm_id = keycloak_realm.realm.id client_id = "realm-management" } resource "keycloak_openid_client_permissions" "realm-management_permission" { realm_id = keycloak_realm.realm.id client_id = data.keycloak_openid_client.realm_management.id } resource "keycloak_group" "group" { realm_id = keycloak_realm.realm.id name = "%s" } resource "keycloak_openid_client_group_policy" "test" { realm_id = keycloak_realm.realm.id resource_server_id = data.keycloak_openid_client.realm_management.id name = "client_group_policy_test" groups { id = keycloak_group.group.id path = keycloak_group.group.path extend_children = false } logic = "POSITIVE" decision_strategy = "UNANIMOUS" depends_on = [ keycloak_openid_client_permissions.realm-management_permission, ] } resource "keycloak_group_permissions" "test" { realm_id = keycloak_realm.realm.id group_id = keycloak_group.group.id manage_members_scope { policies = [ keycloak_openid_client_group_policy.test.id ] description = "mangage_members_scope" decision_strategy = "UNANIMOUS" } } ``` -------------------------------- ### Example Usage of keycloak_generic_protocol_mapper Data Source Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/data-sources/generic_protocol_mapper.md This example demonstrates how to use the data source to fetch an existing protocol mapper and then use its properties to declare a resource that adopts it. It also shows how to compute the import ID. ```hcl data "keycloak_openid_client_scope" "organization" { realm_id = "my-realm" name = "organization" } data "keycloak_generic_protocol_mapper" "organization_membership" { realm_id = "my-realm" client_scope_id = data.keycloak_openid_client_scope.organization.id name = "organization" } # Declare the resource that will adopt the existing mapper. resource "keycloak_generic_protocol_mapper" "organization_membership" { realm_id = "my-realm" client_scope_id = data.keycloak_openid_client_scope.organization.id name = "organization" protocol = data.keycloak_generic_protocol_mapper.organization_membership.protocol protocol_mapper = data.keycloak_generic_protocol_mapper.organization_membership.protocol_mapper config = data.keycloak_generic_protocol_mapper.organization_membership.config } # Use the data source to compute the import ID. import { to = keycloak_generic_protocol_mapper.organization_membership id = "my-realm/client-scope/${data.keycloak_openid_client_scope.organization.id}/${data.keycloak_generic_protocol_mapper.organization_membership.id}" } ``` -------------------------------- ### keycloak_realm_client_registration_policy Resource Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/realm_client_registration_policy.md This example demonstrates how to create a custom client registration policy within a Keycloak realm. It requires a pre-existing realm resource. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" } resource "keycloak_realm_client_registration_policy" "custom" { realm_id = keycloak_realm.realm.id name = "My Custom Policy" provider_id = "my-client-registration-policy" sub_type = "anonymous" } ``` -------------------------------- ### Example Usage of keycloak_group_admin_permissions Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/group_admin_permissions.md This example demonstrates how to configure a realm with admin permissions enabled, define an admin permissions client, create groups, and then set up a group admin permission resource. It shows how to target a specific group with multiple scopes and how to apply a permission to all groups in the realm. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" admin_permissions_enabled = true } data "keycloak_openid_client" "admin_permissions" { realm_id = keycloak_realm.realm.id client_id = "admin-permissions" } resource "keycloak_group" "admins" { realm_id = keycloak_realm.realm.id name = "admins" } resource "keycloak_group" "target_group" { realm_id = keycloak_realm.realm.id name = "my-group" } resource "keycloak_openid_client_group_policy" "admins_policy" { realm_id = keycloak_realm.realm.id resource_server_id = data.keycloak_openid_client.admin_permissions.id name = "admins-policy" groups { id = keycloak_group.admins.id path = keycloak_group.admins.path extend_children = false } logic = "POSITIVE" decision_strategy = "UNANIMOUS" } # Permission targeting a specific group with multiple scopes. resource "keycloak_group_admin_permissions" "admins_manage_target_group" { realm_id = keycloak_realm.realm.id name = "admins-manage-my-group" description = "Admins can view and manage members of my-group" decision_strategy = "UNANIMOUS" group_ids = [keycloak_group.target_group.id] scopes = ["view", "manage-members"] policies = [keycloak_openid_client_group_policy.admins_policy.id] } # Permission targeting ALL groups in the realm (group_ids omitted). resource "keycloak_group_admin_permissions" "admins_view_all_groups" { realm_id = keycloak_realm.realm.id name = "admins-can-view-all-groups" # group_ids omitted → applies to all groups in the realm scopes = ["view"] policies = [keycloak_openid_client_group_policy.admins_policy.id] } ``` -------------------------------- ### keycloak_openid_client_scope Resource Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_scope.md This example demonstrates how to create a Keycloak OpenID client scope resource. It requires a `keycloak_realm` resource to be defined first. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client_scope" "openid_client_scope" { realm_id = keycloak_realm.realm.id name = "groups" description = "When requested, this scope will map a user's group memberships to a claim" include_in_token_scope = true include_in_openid_provider_metadata = true gui_order = 1 } ``` -------------------------------- ### keycloak_default_groups Resource Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/default_groups.md This example demonstrates how to configure the `keycloak_default_groups` resource. It first defines a realm and a group, then assigns the created group as a default group for the realm. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_group" "group" { realm_id = keycloak_realm.realm.id name = "my-group" } resource "keycloak_default_groups" "default" { realm_id = keycloak_realm.realm.id group_ids = [ keycloak_group.group.id ] } ``` -------------------------------- ### Example: Map Client Role to Client Scope Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_role_mapper.md This example demonstrates mapping a client role to a client scope. This is useful for organizing role assignments within client scopes. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client" "client" { realm_id = keycloak_realm.realm.id client_id = "client" name = "client" enabled = true access_type = "BEARER-ONLY" } resource "keycloak_role" "client_role" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client.id name = "my-client-role" description = "My Client Role" } resource "keycloak_openid_client_scope" "client_scope" { realm_id = keycloak_realm.realm.id name = "my-client-scope" } resource "keycloak_generic_role_mapper" "client_b_role_mapper" { realm_id = keycloak_realm.realm.id client_scope_id = keycloak_openid_client_scope.client_scope.id role_id = keycloak_role.client_role.id } ``` -------------------------------- ### Example Usage of keycloak_realm_client_registration_policy Data Source Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/data-sources/realm_client_registration_policy.md This example demonstrates how to use the data source to find a 'Trusted Hosts' client registration policy within a realm and output its ID. It requires a 'keycloak_realm' resource to be defined. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" } data "keycloak_realm_client_registration_policy" "trusted_hosts" { realm_id = keycloak_realm.realm.id name = "Trusted Hosts" provider_id = "trusted-hosts" sub_type = "anonymous" } output "trusted_hosts_policy_id" { value = data.keycloak_realm_client_registration_policy.trusted_hosts.id } ``` -------------------------------- ### Example Usage (Client Scope) Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_user_session_note_protocol_mapper.md Configure a user session note protocol mapper for a shared client scope. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client_scope" "client_scope" { realm_id = keycloak_realm.realm.id name = "client-scope" } resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" { realm_id = keycloak_realm.realm.id client_scope_id = keycloak_openid_client_scope.client_scope.id name = "user-session-note-mapper" claim_name = "foo" claim_value_type = "String" session_note = "bar" } ``` -------------------------------- ### Example Usage of keycloak_user_roles with exhaustive roles Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/user_roles.md This example demonstrates how to use the keycloak_user_roles resource to manage a user's roles exhaustively. Ensure the necessary Keycloak resources like realm, roles, client, and user are defined. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_role" "realm_role" { realm_id = keycloak_realm.realm.id name = "my-realm-role" description = "My Realm Role" } resource "keycloak_openid_client" "client" { realm_id = keycloak_realm.realm.id client_id = "client" name = "client" enabled = true access_type = "BEARER-ONLY" } resource "keycloak_role" "client_role" { realm_id = keycloak_realm.realm.id client_id = keycloak_client.client.id name = "my-client-role" description = "My Client Role" } resource "keycloak_user" "user" { realm_id = keycloak_realm.realm.id username = "bob" enabled = true email = "bob@domain.com" first_name = "Bob" last_name = "Bobson" } resource "keycloak_user_roles" "user_roles" { realm_id = keycloak_realm.realm.id user_id = keycloak_user.user.id role_ids = [ keycloak_role.realm_role.id, keycloak_role.client_role.id, ] } ``` -------------------------------- ### Example Usage of keycloak_role_admin_permissions Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/role_admin_permissions.md This example demonstrates how to configure the `keycloak_role_admin_permissions` resource to manage role permissions. It includes setting up a realm, an admin permissions client, roles, a group policy, and then defining two distinct role admin permission resources: one targeting specific roles and scopes, and another targeting all roles within the realm. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" admin_permissions_enabled = true } data "keycloak_openid_client" "admin_permissions" { realm_id = keycloak_realm.realm.id client_id = "admin-permissions" } resource "keycloak_role" "role_a" { realm_id = keycloak_realm.realm.id name = "role-a" } resource "keycloak_role" "role_b" { realm_id = keycloak_realm.realm.id name = "role-b" } resource "keycloak_group" "admins" { realm_id = keycloak_realm.realm.id name = "admins" } resource "keycloak_openid_client_group_policy" "admins_policy" { realm_id = keycloak_realm.realm.id resource_server_id = data.keycloak_openid_client.admin_permissions.id name = "admins-policy" groups { id = keycloak_group.admins.id path = keycloak_group.admins.path extend_children = false } logic = "POSITIVE" decision_strategy = "UNANIMOUS" } # Permission targeting two specific roles with multiple scopes. resource "keycloak_role_admin_permissions" "admins_map_specific_roles" { realm_id = keycloak_realm.realm.id name = "admins-can-map-specific-roles" description = "Admins can map or make composite role-a and role-b" decision_strategy = "UNANIMOUS" role_ids = [ keycloak_role.role_a.id, keycloak_role.role_b.id, ] scopes = ["map-role", "map-role-composite"] policies = [keycloak_openid_client_group_policy.admins_policy.id] } # Permission targeting ALL roles in the realm (role_ids omitted). resource "keycloak_role_admin_permissions" "admins_map_any_role" { realm_id = keycloak_realm.realm.id name = "admins-can-map-any-role" # role_ids omitted → applies to all roles in the realm scopes = ["map-role"] policies = [keycloak_openid_client_group_policy.admins_policy.id] } ``` -------------------------------- ### Example Usage: Client Role to Client Scope Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_role_mapper.md This example demonstrates mapping a role from one client to a client scope. This is useful for organizing and assigning roles within specific contexts. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client" "client" { realm_id = keycloak_realm.realm.id client_id = "client" name = "client" enabled = true access_type = "BEARER-ONLY" } resource "keycloak_role" "client_role" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client.id name = "my-client-role" description = "My Client Role" } resource "keycloak_openid_client_scope" "client_scope" { realm_id = keycloak_realm.realm.id name = "my-client-scope" } resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" { realm_id = keycloak_realm.realm.id client_scope_id = keycloak_openid_client_scope.client_scope.id role_id = keycloak_role.client_role.id } ``` -------------------------------- ### Example: Map Realm Role to Client Scope Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_role_mapper.md This example shows how to map a realm role to a specific client scope. This allows roles to be associated with a client scope rather than directly with a client. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client_scope" "client_scope" { realm_id = keycloak_realm.realm.id name = "my-client-scope" } resource "keycloak_role" "realm_role" { realm_id = keycloak_realm.realm.id name = "my-realm-role" description = "My Realm Role" } resource "keycloak_generic_role_mapper" "client_role_mapper" { realm_id = keycloak_realm.realm.id client_scope_id = keycloak_openid_client_scope.client_scope.id role_id = keycloak_role.realm_role.id } ``` -------------------------------- ### Example Usage: Client Role to Client Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_role_mapper.md This example shows how to map a role from one client (client_a) to another client (client_b). Note that `full_scope_allowed` is set to `false` for `client_a` to enable role scope mapping. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_openid_client" "client_a" { realm_id = keycloak_realm.realm.id client_id = "client-a" name = "client-a" enabled = true access_type = "BEARER-ONLY" // disable full scope, roles are assigned via keycloak_generic_client_role_mapper full_scope_allowed = false } resource "keycloak_role" "client_role_a" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client_a.id name = "my-client-role" description = "My Client Role" } resource "keycloak_openid_client" "client_b" { realm_id = keycloak_realm.realm.id client_id = "client-b" name = "client-b" enabled = true access_type = "BEARER-ONLY" } resource "keycloak_role" "client_role_b" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client_b.id name = "my-client-role" description = "My Client Role" } resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" { realm_id = keycloak_realm.realm.id client_id = keycloak_openid_client.client_b.id role_id = keycloak_role.client_role_a.id } ``` -------------------------------- ### Import an Organization Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/organization.md This example shows the command to import an existing Keycloak organization into Terraform management. The organization ID is a GUID assigned by Keycloak. ```bash $ terraform import keycloak_organization.this my-realm/cec54914-b702-4c7b-9431-b407817d059a ``` -------------------------------- ### Importing keycloak_user_roles Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/user_roles.md This example shows how to import an existing keycloak_user_roles resource using its realm ID and user ID. The user ID is a unique GUID assigned by Keycloak. ```bash $ terraform import keycloak_user_roles.user_roles my-realm/b0ae6924-1bd5-4655-9e38-dae7c5e42924 ``` -------------------------------- ### OIDC Identity Provider Example Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/oidc_identity_provider.md Create and configure an OIDC identity provider within a Keycloak realm. This snippet demonstrates the basic setup using standard arguments. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" enabled = true } resource "keycloak_oidc_identity_provider" "realm_identity_provider" { realm = keycloak_realm.realm.id alias = "my-idp" authorization_url = "https://authorizationurl.com" client_id = "clientID" client_secret = "clientSecret" token_url = "https://tokenurl.com" extra_config = { "clientAuthMethod" = "client_secret_post" } } ``` -------------------------------- ### Import an authentication flow Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/authentication_flow.md Example of importing an existing authentication flow using its realm ID and the flow's GUID. The flow ID can be found via the Keycloak admin API. ```bash $ terraform import keycloak_authentication_flow.flow my-realm/e9a5641e-778c-4daf-89c0-f4ef617987d1 ``` -------------------------------- ### Configure Realm and User Permissions Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/users_permissions.md Example of setting up a realm, enabling permissions for the realm management client, and defining user policies for fine-grained access control. ```hcl resource "keycloak_realm" "realm" { realm = "my-realm" } data "keycloak_openid_client" "realm_management" { realm_id = keycloak_realm.realm.id client_id = "realm-management" } // enable permissions for realm-management client resource "keycloak_openid_client_permissions" "realm_management_permission" { realm_id = keycloak_realm.realm.id client_id = data.keycloak_openid_client.realm_management.id enabled = true } // creating a user to use with the keycloak_openid_client_user_policy resource resource "keycloak_user" "test" { realm_id = keycloak_realm.realm.id username = "test-user" email = "test-user@fakedomain.com" first_name = "Testy" last_name = "Tester" } resource "keycloak_openid_client_user_policy" "test" { realm_id = keycloak_realm.realm.id resource_server_id = "${data.keycloak_openid_client.realm_management.id}" name = "client_user_policy_test" users = [keycloak_user.test.id] logic = "POSITIVE" decision_strategy = "UNANIMOUS" depends_on = [ keycloak_openid_client_permissions.realm_management_permission, ] } resource "keycloak_users_permissions" "users_permissions" { realm_id = keycloak_realm.realm.id view_scope { policies = [ keycloak_openid_client_user_policy.test.id ] description = "description" decision_strategy = "UNANIMOUS" } manage_scope { policies = [ keycloak_openid_client_user_policy.test.id ] description = "description" decision_strategy = "UNANIMOUS" } map_roles_scope { policies = [ keycloak_openid_client_user_policy.test.id ] description = "description" decision_strategy = "UNANIMOUS" } manage_group_membership_scope { policies = [ keycloak_openid_client_user_policy.test.id ] description = "description" decision_strategy = "UNANIMOUS" } impersonate_scope { policies = [ keycloak_openid_client_user_policy.test.id ] description = "description" decision_strategy = "UNANIMOUS" } user_impersonated_scope { policies = [ keycloak_openid_client_user_policy.test.id ] description = "description" decision_strategy = "UNANIMOUS" } } ```