### Import Example (Client)
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_group_membership_protocol_mapper.md
This example demonstrates how to import an existing group membership protocol mapper associated with a client.
```bash
$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4
```
--------------------------------
### keycloak_openid_client_permissions Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_permissions.md
Example of how to create an OpenID client and then manage its view scope permissions using a user policy.
```hcl
resource "keycloak_realm" "realm" {
realm = "realm"
}
resource "keycloak_openid_client" "my_openid_client" {
realm_id = keycloak_realm.realm.id
name = "my_openid_client"
client_id = "my_openid_client"
client_secret = "secret"
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"http://localhost:8080/*",
]
}
data "keycloak_openid_client" "realm_management" {
realm_id = keycloak_realm.realm.id
client_id = "realm-management"
}
resource keycloak_user test {
realm_id = keycloak_realm.realm.id
username = "test-user"
email = "test-user@fakedomain.com"
first_name = "Testy"
last_name = "Tester"
}
resource keycloak_openid_client_user_policy test {
resource_server_id = data.keycloak_openid_client.realm_management.id
realm_id = keycloak_realm.realm.id
name = "client_user_policy_test"
users = [
keycloak_user.test.id
]
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
depends_on = [
keycloak_openid_client.my_openid_client
]
}
resource "keycloak_openid_client_permissions" "my_permission" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.my_openid_client.id
view_scope {
policies = [
keycloak_openid_client_user_policy.test.id,
]
description = "my description"
decision_strategy = "UNANIMOUS"
}
}
```
--------------------------------
### Onboard new users with Keycloak Workflow
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/workflow.md
This example mirrors the official Keycloak workflow guide. The workflow sends a welcome notification, requires a password update after 30 days, and then restarts the workflow. It triggers on every user_created event.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_workflow" "onboarding" {
realm = keycloak_realm.realm.id
name = "onboarding-new-users"
on = "user_created"
enabled = true
step {
uses = "notify-user"
config = {
message = <<-EOT
Dear $${user.firstName} $${user.lastName},
Welcome to $${realm.displayName}!
Best regards,
The Keycloak Team
EOT
}
}
step {
uses = "set-user-required-action"
after = "2592000000" # 30 days in milliseconds
config = {
action = "UPDATE_PASSWORD"
}
}
# restart is a workflow control-flow step (loop back to step 1)
step {
uses = "restart"
config = {
position = "1"
}
}
}
```
--------------------------------
### Import Example (Client Scope)
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_group_membership_protocol_mapper.md
This example demonstrates how to import an existing group membership protocol mapper associated with a client scope.
```bash
$ terraform import keycloak_openid_group_membership_protocol_mapper.group_membership_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4
```
--------------------------------
### Build and Run Example Project for Debugging
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/README.md
This sequence of commands builds the example project for debugging and then applies it using Terraform. Ensure the local environment is set up using 'make local' prior to running these commands.
```bash
make build-example
cd example
terraform init
terraform plan -out tfplan
terraform apply tfplan
rm tfplan
```
--------------------------------
### Example Usage: Realm Role to Client
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_role_mapper.md
This example demonstrates how to map a realm role to a client. Ensure the realm, client, and role resources are defined.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "client" {
realm_id = keycloak_realm.realm.id
client_id = "client"
name = "client"
enabled = true
access_type = "BEARER-ONLY"
}
resource "keycloak_role" "realm_role" {
realm_id = keycloak_realm.realm.id
name = "my-realm-role"
description = "My Realm Role"
}
resource "keycloak_generic_client_role_mapper" "client_role_mapper" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client.id
role_id = keycloak_role.realm_role.id
}
```
--------------------------------
### keycloak_realm_user_profile Resource Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/realm_user_profile.md
Example usage for creating a realm user profile resource.
```APIDOC
## keycloak_realm_user_profile Resource Example
### Description
Example usage for creating a realm user profile resource.
### Method
Not applicable (Terraform resource configuration)
### Endpoint
Not applicable (Terraform resource configuration)
### Parameters
#### Path Parameters
- None
#### Query Parameters
- None
#### Request Body
- `realm_id` (string) - Required - The ID of the realm the user profile applies to.
- `unmanaged_attribute_policy` (string) - Optional - Unmanaged attributes are user attributes not explicitly defined in the user profile configuration. By default, unmanaged attributes are not enabled. Value could be one of `DISABLED`, `ENABLED`, `ADMIN_EDIT` or `ADMIN_VIEW`. If value is not specified it means `DISABLED`.
- `attribute` (list of objects) - Optional - An ordered list of attributes.
- `name` (string) - Required - The name of the attribute.
- `display_name` (string) - Optional - The display name of the attribute.
- `default_value` (string) - Optional - The default value of the attribute. Only applied with Keycloak 26.4.0 or later.
- `multi_valued` (boolean) - Optional - If the attribute supports multiple values. Defaults to `false`.
- `group` (string) - Optional - The group that the attribute belong to.
- `enabled_when_scope` (list of strings) - Optional - A list of scopes. The attribute will only be enabled when these scopes are requested by clients.
- `required_for_roles` (list of strings) - Optional - A list of roles for which the attribute will be required.
- `required_for_scopes` (list of strings) - Optional - A list of scopes for which the attribute will be required.
- `permissions` (object) - Optional - The permissions configuration information.
- `edit` (list of strings) - Optional - A list of profiles that will be able to edit the attribute. One of `admin`, `user`.
- `view` (list of strings) - Optional - A list of profiles that will be able to view the attribute. One of `admin`, `user`.
- `validator` (list of objects) - Optional - A list of validators for the attribute.
- `name` (string) - Required - The name of the validator.
- `config` (map of strings) - Optional - A map defining the configuration of the validator. Values can be a String or a json object.
- `annotations` (map of strings) - Optional - A map of annotations for the attribute. Values can be a String or a json object.
- `group` (list of objects) - Optional - A list of groups.
- `name` (string) - Required - The name of the group.
- `display_header` (string) - Optional - The display header of the group.
- `display_description` (string) - Optional - The display description of the group.
- `annotations` (map of strings) - Optional - A map of annotations for the group. Values can be a String or a json object.
### Request Example
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
}
resource "keycloak_realm_user_profile" "userprofile" {
realm_id = keycloak_realm.my_realm.id
unmanaged_attribute_policy = "ENABLED"
attribute {
name = "field1"
display_name = "Field 1"
default_value = "default field1 value"
group = "group1"
multi_valued = false
enabled_when_scope = ["offline_access"]
required_for_roles = ["user"]
required_for_scopes = ["offline_access"]
permissions {
view = ["admin", "user"]
edit = ["admin", "user"]
}
validator {
name = "person-name-prohibited-characters"
}
validator {
name = "pattern"
config = {
pattern = "^[a-z0-9 ]+$"
error-message = "Nope"
}
}
annotations = {
foo = "bar"
}
}
attribute {
name = "field2"
validator {
name = "options"
config = {
options = jsonencode ( [ "opt1" ])
}
}
annotations = {
foo = jsonencode ( {"key": "val" } )
}
}
group {
name = "group1"
display_header = "Group 1"
display_description = "A first group"
annotations = {
foo = "bar"
foo2 = jsonencode ( { "key": "val" } )
}
}
group {
name = "group2"
}
}
```
### Response
#### Success Response (200)
- Not applicable (Terraform resource configuration)
#### Response Example
- Not applicable (Terraform resource configuration)
```
--------------------------------
### keycloak_openid_client_default_scopes Resource Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_default_scopes.md
Example usage for the keycloak_openid_client_default_scopes resource, demonstrating how to manage default scopes for an OpenID Connect client.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "client" {
realm_id = keycloak_realm.realm.id
client_id = "test-client"
access_type = "CONFIDENTIAL"
}
resource "keycloak_openid_client_scope" "client_scope" {
realm_id = keycloak_realm.realm.id
name = "test-client-scope"
}
resource "keycloak_openid_client_default_scopes" "client_default_scopes" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client.id
default_scopes = [
"profile",
"email",
"roles",
"web-origins",
keycloak_openid_client_scope.client_scope.name,
]
}
```
--------------------------------
### Example Usage of keycloak_users_admin_permissions
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/users_admin_permissions.md
This example demonstrates how to configure the `keycloak_realm` to enable admin permissions, set up necessary data sources and policies, and then define two `keycloak_users_admin_permissions` resources for different administrative roles.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
admin_permissions_enabled = true
}
data "keycloak_openid_client" "admin_permissions" {
realm_id = keycloak_realm.realm.id
client_id = "admin-permissions"
}
resource "keycloak_group" "admins" {
realm_id = keycloak_realm.realm.id
name = "admins"
}
resource "keycloak_group" "auditors" {
realm_id = keycloak_realm.realm.id
name = "auditors"
}
resource "keycloak_openid_client_group_policy" "admins_policy" {
realm_id = keycloak_realm.realm.id
resource_server_id = data.keycloak_openid_client.admin_permissions.id
name = "admins-policy"
groups {
id = keycloak_group.admins.id
path = keycloak_group.admins.path
extend_children = false
}
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
}
resource "keycloak_openid_client_group_policy" "auditors_policy" {
realm_id = keycloak_realm.realm.id
resource_server_id = data.keycloak_openid_client.admin_permissions.id
name = "auditors-policy"
groups {
id = keycloak_group.auditors.id
path = keycloak_group.auditors.path
extend_children = false
}
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
}
# One permission per logical role — each is a separate Terraform resource.
resource "keycloak_users_admin_permissions" "admins_manage_users" {
realm_id = keycloak_realm.realm.id
name = "admins-can-manage-users"
description = "Admins can view and manage all users"
decision_strategy = "UNANIMOUS"
scopes = ["view", "manage"]
policies = [keycloak_openid_client_group_policy.admins_policy.id]
}
resource "keycloak_users_admin_permissions" "auditors_view_users" {
realm_id = keycloak_realm.realm.id
name = "auditors-can-view-users"
description = "Auditors can view all users"
scopes = ["view"]
policies = [keycloak_openid_client_group_policy.auditors_policy.id]
}
```
--------------------------------
### Example Usage of keycloak_openid_client_authorization_permission
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_authorization_permission.md
This example demonstrates how to configure a Keycloak realm, an OpenID Connect client, and then define an authorization permission for that client. It includes setting up policies, resources, and scopes.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource keycloak_openid_client test {
client_id = "client_id"
realm_id = keycloak_realm.realm.id
access_type = "CONFIDENTIAL"
service_accounts_enabled = true
authorization {
policy_enforcement_mode = "ENFORCING"
}
}
data keycloak_openid_client_authorization_policy default {
realm_id = keycloak_realm.realm.id
resource_server_id = keycloak_openid_client.test.resource_server_id
name = "default"
}
resource keycloak_openid_client_authorization_resource test {
resource_server_id = keycloak_openid_client.test.resource_server_id
name = "resource_name"
realm_id = keycloak_realm.realm.id
uris = [
"/endpoint/*"
]
}
resource keycloak_openid_client_authorization_scope test {
resource_server_id = keycloak_openid_client.test.resource_server_id
name = "scope_name"
realm_id = keycloak_realm.realm.id
}
resource keycloak_openid_client_authorization_permission test {
resource_server_id = keycloak_openid_client.test.resource_server_id
realm_id = keycloak_realm.realm.id
name = "permission_name"
policies = [data.keycloak_openid_client_authorization_policy.default.id]
resources = [keycloak_openid_client_authorization_resource.test.id]
}
```
--------------------------------
### Example Usage of keycloak_attribute_to_role_identity_provider_mapper
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/attribute_to_role_identity_provider_mapper.md
This example demonstrates how to configure the keycloak_attribute_to_role_identity_provider_mapper resource. Ensure `extra_config` with `syncMode` is included for Keycloak 10 and later.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_oidc_identity_provider" "oidc" {
realm = keycloak_realm.realm.id
alias = "oidc"
authorization_url = "https://example.com/auth"
token_url = "https://example.com/token"
client_id = "example_id"
client_secret = "example_token"
default_scopes = "openid random profile"
}
resource "keycloak_role" "realm_role" {
realm_id = keycloak_realm.realm.id
name = "my-realm-role"
description = "My Realm Role"
}
resource "keycloak_attribute_to_role_identity_provider_mapper" "oidc" {
realm = keycloak_realm.realm.id
name = "role-attribute"
identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias
role = "my-realm-role"
claim_name = "my-claim"
claim_value = "my-value"
# extra_config with syncMode is required in Keycloak 10+
extra_config = {
syncMode = "INHERIT"
}
}
```
--------------------------------
### Example Usage of keycloak_openid_client_admin_permissions
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_admin_permissions.md
This example demonstrates how to configure a realm with admin permissions enabled, define a group policy, and then create specific client admin permissions. It shows how to target a single client with multiple scopes and how to create a permission that applies to all clients in the realm.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
admin_permissions_enabled = true
}
data "keycloak_openid_client" "admin_permissions" {
realm_id = keycloak_realm.realm.id
client_id = "admin-permissions"
}
resource "keycloak_openid_client" "my_client" {
realm_id = keycloak_realm.realm.id
client_id = "my-client"
access_type = "CONFIDENTIAL"
}
resource "keycloak_group" "admins" {
realm_id = keycloak_realm.realm.id
name = "admins"
}
resource "keycloak_openid_client_group_policy" "admins_policy" {
realm_id = keycloak_realm.realm.id
resource_server_id = data.keycloak_openid_client.admin_permissions.id
name = "admins-policy"
groups {
id = keycloak_group.admins.id
path = keycloak_group.admins.path
extend_children = false
}
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
}
# Permission targeting a specific client with multiple scopes.
resource "keycloak_openid_client_admin_permissions" "admins_manage_my_client" {
realm_id = keycloak_realm.realm.id
name = "admins-manage-my-client"
description = "Admins can view and manage my-client"
decision_strategy = "UNANIMOUS"
client_ids = [keycloak_openid_client.my_client.id]
scopes = ["view", "manage"]
policies = [keycloak_openid_client_group_policy.admins_policy.id]
}
# Permission targeting ALL clients in the realm (client_ids omitted).
resource "keycloak_openid_client_admin_permissions" "admins_view_all_clients" {
realm_id = keycloak_realm.realm.id
name = "admins-can-view-all-clients"
# client_ids omitted → applies to all clients in the realm
scopes = ["view"]
policies = [keycloak_openid_client_group_policy.admins_policy.id]
}
```
--------------------------------
### keycloak_generic_client_protocol_mapper Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_protocol_mapper.md
This example shows how to configure a generic SAML protocol mapper for a client. Ensure the realm and client resources are defined prior to this.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_saml_client" "saml_client" {
realm_id = keycloak_realm.realm.id
client_id = "test-client"
}
resource "keycloak_generic_client_protocol_mapper" "saml_hardcode_attribute_mapper" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_saml_client.saml_client.id
name = "test-mapper"
protocol = "saml"
protocol_mapper = "saml-hardcode-attribute-mapper"
config = {
"attribute.name" = "name"
"attribute.nameformat" = "Basic"
"attribute.value" = "value"
"friendly.name" = "display name"
}
}
```
--------------------------------
### Example: Map Realm Role to Client
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_role_mapper.md
This example demonstrates how to map a realm role to an OpenID Connect client. Ensure the realm and client resources are defined prior to this mapping.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "client" {
realm_id = keycloak_realm.realm.id
client_id = "client"
name = "client"
enabled = true
access_type = "BEARER-ONLY"
}
resource "keycloak_role" "realm_role" {
realm_id = keycloak_realm.realm.id
name = "my-realm-role"
description = "My Realm Role"
}
resource "keycloak_generic_role_mapper" "client_role_mapper" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client.id
role_id = keycloak_role.realm_role.id
}
```
--------------------------------
### Example Usage (Client)
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_user_session_note_protocol_mapper.md
Configure a user session note protocol mapper for a specific OpenID client.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "openid_client" {
realm_id = keycloak_realm.realm.id
client_id = "client"
name = "client"
enabled = true
access_type = "CONFIDENTIAL"
valid_redirect_uris = [
"http://localhost:8080/openid-callback"
]
}
resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.openid_client.id
name = "user-session-note-mapper"
claim_name = "foo"
claim_value_type = "String"
session_note = "bar"
}
```
--------------------------------
### keycloak_group_permissions Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/group_permissions.md
This example demonstrates how to configure the keycloak_group_permissions resource to manage permissions for a specific group, including managing members.
```hcl
resource "keycloak_realm" "realm" {
realm = "my_realm"
}
data "keycloak_openid_client" "realm_management" {
realm_id = keycloak_realm.realm.id
client_id = "realm-management"
}
resource "keycloak_openid_client_permissions" "realm-management_permission" {
realm_id = keycloak_realm.realm.id
client_id = data.keycloak_openid_client.realm_management.id
}
resource "keycloak_group" "group" {
realm_id = keycloak_realm.realm.id
name = "%s"
}
resource "keycloak_openid_client_group_policy" "test" {
realm_id = keycloak_realm.realm.id
resource_server_id = data.keycloak_openid_client.realm_management.id
name = "client_group_policy_test"
groups {
id = keycloak_group.group.id
path = keycloak_group.group.path
extend_children = false
}
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
depends_on = [
keycloak_openid_client_permissions.realm-management_permission,
]
}
resource "keycloak_group_permissions" "test" {
realm_id = keycloak_realm.realm.id
group_id = keycloak_group.group.id
manage_members_scope {
policies = [
keycloak_openid_client_group_policy.test.id
]
description = "mangage_members_scope"
decision_strategy = "UNANIMOUS"
}
}
```
--------------------------------
### Example Usage of keycloak_generic_protocol_mapper Data Source
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/data-sources/generic_protocol_mapper.md
This example demonstrates how to use the data source to fetch an existing protocol mapper and then use its properties to declare a resource that adopts it. It also shows how to compute the import ID.
```hcl
data "keycloak_openid_client_scope" "organization" {
realm_id = "my-realm"
name = "organization"
}
data "keycloak_generic_protocol_mapper" "organization_membership" {
realm_id = "my-realm"
client_scope_id = data.keycloak_openid_client_scope.organization.id
name = "organization"
}
# Declare the resource that will adopt the existing mapper.
resource "keycloak_generic_protocol_mapper" "organization_membership" {
realm_id = "my-realm"
client_scope_id = data.keycloak_openid_client_scope.organization.id
name = "organization"
protocol = data.keycloak_generic_protocol_mapper.organization_membership.protocol
protocol_mapper = data.keycloak_generic_protocol_mapper.organization_membership.protocol_mapper
config = data.keycloak_generic_protocol_mapper.organization_membership.config
}
# Use the data source to compute the import ID.
import {
to = keycloak_generic_protocol_mapper.organization_membership
id = "my-realm/client-scope/${data.keycloak_openid_client_scope.organization.id}/${data.keycloak_generic_protocol_mapper.organization_membership.id}"
}
```
--------------------------------
### keycloak_realm_client_registration_policy Resource Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/realm_client_registration_policy.md
This example demonstrates how to create a custom client registration policy within a Keycloak realm. It requires a pre-existing realm resource.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
}
resource "keycloak_realm_client_registration_policy" "custom" {
realm_id = keycloak_realm.realm.id
name = "My Custom Policy"
provider_id = "my-client-registration-policy"
sub_type = "anonymous"
}
```
--------------------------------
### Example Usage of keycloak_group_admin_permissions
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/group_admin_permissions.md
This example demonstrates how to configure a realm with admin permissions enabled, define an admin permissions client, create groups, and then set up a group admin permission resource. It shows how to target a specific group with multiple scopes and how to apply a permission to all groups in the realm.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
admin_permissions_enabled = true
}
data "keycloak_openid_client" "admin_permissions" {
realm_id = keycloak_realm.realm.id
client_id = "admin-permissions"
}
resource "keycloak_group" "admins" {
realm_id = keycloak_realm.realm.id
name = "admins"
}
resource "keycloak_group" "target_group" {
realm_id = keycloak_realm.realm.id
name = "my-group"
}
resource "keycloak_openid_client_group_policy" "admins_policy" {
realm_id = keycloak_realm.realm.id
resource_server_id = data.keycloak_openid_client.admin_permissions.id
name = "admins-policy"
groups {
id = keycloak_group.admins.id
path = keycloak_group.admins.path
extend_children = false
}
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
}
# Permission targeting a specific group with multiple scopes.
resource "keycloak_group_admin_permissions" "admins_manage_target_group" {
realm_id = keycloak_realm.realm.id
name = "admins-manage-my-group"
description = "Admins can view and manage members of my-group"
decision_strategy = "UNANIMOUS"
group_ids = [keycloak_group.target_group.id]
scopes = ["view", "manage-members"]
policies = [keycloak_openid_client_group_policy.admins_policy.id]
}
# Permission targeting ALL groups in the realm (group_ids omitted).
resource "keycloak_group_admin_permissions" "admins_view_all_groups" {
realm_id = keycloak_realm.realm.id
name = "admins-can-view-all-groups"
# group_ids omitted → applies to all groups in the realm
scopes = ["view"]
policies = [keycloak_openid_client_group_policy.admins_policy.id]
}
```
--------------------------------
### keycloak_openid_client_scope Resource Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_client_scope.md
This example demonstrates how to create a Keycloak OpenID client scope resource. It requires a `keycloak_realm` resource to be defined first.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client_scope" "openid_client_scope" {
realm_id = keycloak_realm.realm.id
name = "groups"
description = "When requested, this scope will map a user's group memberships to a claim"
include_in_token_scope = true
include_in_openid_provider_metadata = true
gui_order = 1
}
```
--------------------------------
### keycloak_default_groups Resource Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/default_groups.md
This example demonstrates how to configure the `keycloak_default_groups` resource. It first defines a realm and a group, then assigns the created group as a default group for the realm.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_group" "group" {
realm_id = keycloak_realm.realm.id
name = "my-group"
}
resource "keycloak_default_groups" "default" {
realm_id = keycloak_realm.realm.id
group_ids = [
keycloak_group.group.id
]
}
```
--------------------------------
### Example: Map Client Role to Client Scope
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_role_mapper.md
This example demonstrates mapping a client role to a client scope. This is useful for organizing role assignments within client scopes.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "client" {
realm_id = keycloak_realm.realm.id
client_id = "client"
name = "client"
enabled = true
access_type = "BEARER-ONLY"
}
resource "keycloak_role" "client_role" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client.id
name = "my-client-role"
description = "My Client Role"
}
resource "keycloak_openid_client_scope" "client_scope" {
realm_id = keycloak_realm.realm.id
name = "my-client-scope"
}
resource "keycloak_generic_role_mapper" "client_b_role_mapper" {
realm_id = keycloak_realm.realm.id
client_scope_id = keycloak_openid_client_scope.client_scope.id
role_id = keycloak_role.client_role.id
}
```
--------------------------------
### Example Usage of keycloak_realm_client_registration_policy Data Source
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/data-sources/realm_client_registration_policy.md
This example demonstrates how to use the data source to find a 'Trusted Hosts' client registration policy within a realm and output its ID. It requires a 'keycloak_realm' resource to be defined.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
}
data "keycloak_realm_client_registration_policy" "trusted_hosts" {
realm_id = keycloak_realm.realm.id
name = "Trusted Hosts"
provider_id = "trusted-hosts"
sub_type = "anonymous"
}
output "trusted_hosts_policy_id" {
value = data.keycloak_realm_client_registration_policy.trusted_hosts.id
}
```
--------------------------------
### Example Usage (Client Scope)
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/openid_user_session_note_protocol_mapper.md
Configure a user session note protocol mapper for a shared client scope.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client_scope" "client_scope" {
realm_id = keycloak_realm.realm.id
name = "client-scope"
}
resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_mapper" {
realm_id = keycloak_realm.realm.id
client_scope_id = keycloak_openid_client_scope.client_scope.id
name = "user-session-note-mapper"
claim_name = "foo"
claim_value_type = "String"
session_note = "bar"
}
```
--------------------------------
### Example Usage of keycloak_user_roles with exhaustive roles
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/user_roles.md
This example demonstrates how to use the keycloak_user_roles resource to manage a user's roles exhaustively. Ensure the necessary Keycloak resources like realm, roles, client, and user are defined.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_role" "realm_role" {
realm_id = keycloak_realm.realm.id
name = "my-realm-role"
description = "My Realm Role"
}
resource "keycloak_openid_client" "client" {
realm_id = keycloak_realm.realm.id
client_id = "client"
name = "client"
enabled = true
access_type = "BEARER-ONLY"
}
resource "keycloak_role" "client_role" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_client.client.id
name = "my-client-role"
description = "My Client Role"
}
resource "keycloak_user" "user" {
realm_id = keycloak_realm.realm.id
username = "bob"
enabled = true
email = "bob@domain.com"
first_name = "Bob"
last_name = "Bobson"
}
resource "keycloak_user_roles" "user_roles" {
realm_id = keycloak_realm.realm.id
user_id = keycloak_user.user.id
role_ids = [
keycloak_role.realm_role.id,
keycloak_role.client_role.id,
]
}
```
--------------------------------
### Example Usage of keycloak_role_admin_permissions
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/role_admin_permissions.md
This example demonstrates how to configure the `keycloak_role_admin_permissions` resource to manage role permissions. It includes setting up a realm, an admin permissions client, roles, a group policy, and then defining two distinct role admin permission resources: one targeting specific roles and scopes, and another targeting all roles within the realm.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
admin_permissions_enabled = true
}
data "keycloak_openid_client" "admin_permissions" {
realm_id = keycloak_realm.realm.id
client_id = "admin-permissions"
}
resource "keycloak_role" "role_a" {
realm_id = keycloak_realm.realm.id
name = "role-a"
}
resource "keycloak_role" "role_b" {
realm_id = keycloak_realm.realm.id
name = "role-b"
}
resource "keycloak_group" "admins" {
realm_id = keycloak_realm.realm.id
name = "admins"
}
resource "keycloak_openid_client_group_policy" "admins_policy" {
realm_id = keycloak_realm.realm.id
resource_server_id = data.keycloak_openid_client.admin_permissions.id
name = "admins-policy"
groups {
id = keycloak_group.admins.id
path = keycloak_group.admins.path
extend_children = false
}
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
}
# Permission targeting two specific roles with multiple scopes.
resource "keycloak_role_admin_permissions" "admins_map_specific_roles" {
realm_id = keycloak_realm.realm.id
name = "admins-can-map-specific-roles"
description = "Admins can map or make composite role-a and role-b"
decision_strategy = "UNANIMOUS"
role_ids = [
keycloak_role.role_a.id,
keycloak_role.role_b.id,
]
scopes = ["map-role", "map-role-composite"]
policies = [keycloak_openid_client_group_policy.admins_policy.id]
}
# Permission targeting ALL roles in the realm (role_ids omitted).
resource "keycloak_role_admin_permissions" "admins_map_any_role" {
realm_id = keycloak_realm.realm.id
name = "admins-can-map-any-role"
# role_ids omitted → applies to all roles in the realm
scopes = ["map-role"]
policies = [keycloak_openid_client_group_policy.admins_policy.id]
}
```
--------------------------------
### Example Usage: Client Role to Client Scope
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_role_mapper.md
This example demonstrates mapping a role from one client to a client scope. This is useful for organizing and assigning roles within specific contexts.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "client" {
realm_id = keycloak_realm.realm.id
client_id = "client"
name = "client"
enabled = true
access_type = "BEARER-ONLY"
}
resource "keycloak_role" "client_role" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client.id
name = "my-client-role"
description = "My Client Role"
}
resource "keycloak_openid_client_scope" "client_scope" {
realm_id = keycloak_realm.realm.id
name = "my-client-scope"
}
resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" {
realm_id = keycloak_realm.realm.id
client_scope_id = keycloak_openid_client_scope.client_scope.id
role_id = keycloak_role.client_role.id
}
```
--------------------------------
### Example: Map Realm Role to Client Scope
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_role_mapper.md
This example shows how to map a realm role to a specific client scope. This allows roles to be associated with a client scope rather than directly with a client.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client_scope" "client_scope" {
realm_id = keycloak_realm.realm.id
name = "my-client-scope"
}
resource "keycloak_role" "realm_role" {
realm_id = keycloak_realm.realm.id
name = "my-realm-role"
description = "My Realm Role"
}
resource "keycloak_generic_role_mapper" "client_role_mapper" {
realm_id = keycloak_realm.realm.id
client_scope_id = keycloak_openid_client_scope.client_scope.id
role_id = keycloak_role.realm_role.id
}
```
--------------------------------
### Example Usage: Client Role to Client
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/generic_client_role_mapper.md
This example shows how to map a role from one client (client_a) to another client (client_b). Note that `full_scope_allowed` is set to `false` for `client_a` to enable role scope mapping.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_openid_client" "client_a" {
realm_id = keycloak_realm.realm.id
client_id = "client-a"
name = "client-a"
enabled = true
access_type = "BEARER-ONLY"
// disable full scope, roles are assigned via keycloak_generic_client_role_mapper
full_scope_allowed = false
}
resource "keycloak_role" "client_role_a" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client_a.id
name = "my-client-role"
description = "My Client Role"
}
resource "keycloak_openid_client" "client_b" {
realm_id = keycloak_realm.realm.id
client_id = "client-b"
name = "client-b"
enabled = true
access_type = "BEARER-ONLY"
}
resource "keycloak_role" "client_role_b" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client_b.id
name = "my-client-role"
description = "My Client Role"
}
resource "keycloak_generic_client_role_mapper" "client_b_role_mapper" {
realm_id = keycloak_realm.realm.id
client_id = keycloak_openid_client.client_b.id
role_id = keycloak_role.client_role_a.id
}
```
--------------------------------
### Import an Organization
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/organization.md
This example shows the command to import an existing Keycloak organization into Terraform management. The organization ID is a GUID assigned by Keycloak.
```bash
$ terraform import keycloak_organization.this my-realm/cec54914-b702-4c7b-9431-b407817d059a
```
--------------------------------
### Importing keycloak_user_roles
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/user_roles.md
This example shows how to import an existing keycloak_user_roles resource using its realm ID and user ID. The user ID is a unique GUID assigned by Keycloak.
```bash
$ terraform import keycloak_user_roles.user_roles my-realm/b0ae6924-1bd5-4655-9e38-dae7c5e42924
```
--------------------------------
### OIDC Identity Provider Example
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/oidc_identity_provider.md
Create and configure an OIDC identity provider within a Keycloak realm. This snippet demonstrates the basic setup using standard arguments.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
enabled = true
}
resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
realm = keycloak_realm.realm.id
alias = "my-idp"
authorization_url = "https://authorizationurl.com"
client_id = "clientID"
client_secret = "clientSecret"
token_url = "https://tokenurl.com"
extra_config = {
"clientAuthMethod" = "client_secret_post"
}
}
```
--------------------------------
### Import an authentication flow
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/authentication_flow.md
Example of importing an existing authentication flow using its realm ID and the flow's GUID. The flow ID can be found via the Keycloak admin API.
```bash
$ terraform import keycloak_authentication_flow.flow my-realm/e9a5641e-778c-4daf-89c0-f4ef617987d1
```
--------------------------------
### Configure Realm and User Permissions
Source: https://github.com/keycloak/terraform-provider-keycloak/blob/main/docs/resources/users_permissions.md
Example of setting up a realm, enabling permissions for the realm management client, and defining user policies for fine-grained access control.
```hcl
resource "keycloak_realm" "realm" {
realm = "my-realm"
}
data "keycloak_openid_client" "realm_management" {
realm_id = keycloak_realm.realm.id
client_id = "realm-management"
}
// enable permissions for realm-management client
resource "keycloak_openid_client_permissions" "realm_management_permission" {
realm_id = keycloak_realm.realm.id
client_id = data.keycloak_openid_client.realm_management.id
enabled = true
}
// creating a user to use with the keycloak_openid_client_user_policy resource
resource "keycloak_user" "test" {
realm_id = keycloak_realm.realm.id
username = "test-user"
email = "test-user@fakedomain.com"
first_name = "Testy"
last_name = "Tester"
}
resource "keycloak_openid_client_user_policy" "test" {
realm_id = keycloak_realm.realm.id
resource_server_id = "${data.keycloak_openid_client.realm_management.id}"
name = "client_user_policy_test"
users = [keycloak_user.test.id]
logic = "POSITIVE"
decision_strategy = "UNANIMOUS"
depends_on = [
keycloak_openid_client_permissions.realm_management_permission,
]
}
resource "keycloak_users_permissions" "users_permissions" {
realm_id = keycloak_realm.realm.id
view_scope {
policies = [
keycloak_openid_client_user_policy.test.id
]
description = "description"
decision_strategy = "UNANIMOUS"
}
manage_scope {
policies = [
keycloak_openid_client_user_policy.test.id
]
description = "description"
decision_strategy = "UNANIMOUS"
}
map_roles_scope {
policies = [
keycloak_openid_client_user_policy.test.id
]
description = "description"
decision_strategy = "UNANIMOUS"
}
manage_group_membership_scope {
policies = [
keycloak_openid_client_user_policy.test.id
]
description = "description"
decision_strategy = "UNANIMOUS"
}
impersonate_scope {
policies = [
keycloak_openid_client_user_policy.test.id
]
description = "description"
decision_strategy = "UNANIMOUS"
}
user_impersonated_scope {
policies = [
keycloak_openid_client_user_policy.test.id
]
description = "description"
decision_strategy = "UNANIMOUS"
}
}
```